Joe Sandbox Cloud Basic Analysis Report

Loading Joe Sandbox Report ...

Edit tour

Windows Analysis Report
dendy.exe

Overview

General Information

Sample name:dendy.exe
Analysis ID:1427876
MD5:446f080cd1ed262b4dd0c1ff2143297e
SHA1:b958c52622a02d7ed530f6d41a7e7c24a27f7918
SHA256:a211901dea69eab959b9e47a6276ba7f363b6857687c410adcaf56135586b7ea
Infos:

Detection

RisePro Stealer
Score:100
Range:0 - 100
Whitelisted:false
Confidence:100%

Signatures

Antivirus / Scanner detection for submitted sample
Antivirus detection for URL or domain
Antivirus detection for dropped file
Detected unpacking (changes PE section rights)
Detected unpacking (overwrites its own PE header)
Malicious sample detected (through community Yara rule)
Multi AV Scanner detection for domain / URL
Multi AV Scanner detection for dropped file
Multi AV Scanner detection for submitted file
Snort IDS alert for network traffic
Yara detected RisePro Stealer
Connects to many ports of the same IP (likely port scanning)
Contains functionality to check for running processes (XOR)
Contains functionality to inject threads in other processes
Country aware sample found (crashes after keyboard check)
Found API chain indicative of sandbox detection
Found evasive API chain (may stop execution after checking mutex)
Found evasive API chain (may stop execution after reading information in the PEB, e.g. number of processors)
Found many strings related to Crypto-Wallets (likely being stolen)
Found stalling execution ending in API Sleep call
Machine Learning detection for dropped file
Machine Learning detection for sample
Tries to harvest and steal browser information (history, passwords, etc)
Tries to steal Mail credentials (via file / registry access)
Uses schtasks.exe or at.exe to add and modify task schedules
AV process strings found (often used to terminate AV products)
Checks if the current process is being debugged
Contains functionality to check if a debugger is running (IsDebuggerPresent)
Contains functionality to check if a debugger is running (OutputDebugString,GetLastError)
Contains functionality to detect sandboxes (mouse cursor move detection)
Contains functionality to dynamically determine API calls
Contains functionality to query CPU information (cpuid)
Contains functionality to query locales information (e.g. system language)
Contains functionality to read the PEB
Contains functionality to record screenshots
Contains functionality which may be used to detect a debugger (GetProcessHeap)
Detected TCP or UDP traffic on non-standard ports
Detected potential crypto function
Drops PE files
Drops PE files to the application program directory (C:\ProgramData)
Extensive use of GetProcAddress (often used to hide API calls)
Found decision node followed by non-executed suspicious APIs
Found evasive API chain (date check)
Found potential string decryption / allocating functions
IP address seen in connection with other malware
Internet Provider seen in connection with other malware
JA3 SSL client fingerprint seen in connection with other malware
May check the online IP address of the machine
May sleep (evasive loops) to hinder dynamic analysis
Monitors certain registry keys / values for changes (often done to protect autostart functionality)
One or more processes crash
Queries information about the installed CPU (vendor, model number etc)
Queries the volume information (name, serial number etc) of a device
Sample execution stops while process was sleeping (likely an evasion)
Sample file is different than original file name gathered from version info
Sigma detected: CurrentVersion Autorun Keys Modification
Uses 32bit PE files
Uses Microsoft's Enhanced Cryptographic Provider
Uses a known web browser user agent for HTTP communication
Uses code obfuscation techniques (call, push, ret)
Uses the keyboard layout for branch decision (may execute only for specific keyboard layouts)
Uses the system / local time for branch decision (may execute only at specific dates)
Yara detected Credential Stealer
Yara signature match

Classification

Process Tree

  • System is w10x64
  • dendy.exe (PID: 7028 cmdline: "C:\Users\user\Desktop\dendy.exe" MD5: 446F080CD1ED262B4DD0C1FF2143297E)
    • schtasks.exe (PID: 7144 cmdline: schtasks /create /f /RU "user" /tr "C:\ProgramData\MPGPH131\MPGPH131.exe" /tn "MPGPH131 HR" /sc HOURLY /rl HIGHEST MD5: 48C2FE20575769DE916F48EF0676A965)
      • conhost.exe (PID: 6332 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)
    • schtasks.exe (PID: 3428 cmdline: schtasks /create /f /RU "user" /tr "C:\ProgramData\MPGPH131\MPGPH131.exe" /tn "MPGPH131 LG" /sc ONLOGON /rl HIGHEST MD5: 48C2FE20575769DE916F48EF0676A965)
      • conhost.exe (PID: 3748 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)
    • WerFault.exe (PID: 2520 cmdline: C:\Windows\SysWOW64\WerFault.exe -u -p 7028 -s 868 MD5: C31336C1EFC2CCB44B4326EA793040F2)
    • WerFault.exe (PID: 4924 cmdline: C:\Windows\SysWOW64\WerFault.exe -u -p 7028 -s 952 MD5: C31336C1EFC2CCB44B4326EA793040F2)
    • WerFault.exe (PID: 4476 cmdline: C:\Windows\SysWOW64\WerFault.exe -u -p 7028 -s 960 MD5: C31336C1EFC2CCB44B4326EA793040F2)
    • WerFault.exe (PID: 4020 cmdline: C:\Windows\SysWOW64\WerFault.exe -u -p 7028 -s 960 MD5: C31336C1EFC2CCB44B4326EA793040F2)
    • WerFault.exe (PID: 4308 cmdline: C:\Windows\SysWOW64\WerFault.exe -u -p 7028 -s 960 MD5: C31336C1EFC2CCB44B4326EA793040F2)
    • WerFault.exe (PID: 3004 cmdline: C:\Windows\SysWOW64\WerFault.exe -u -p 7028 -s 1464 MD5: C31336C1EFC2CCB44B4326EA793040F2)
    • WerFault.exe (PID: 6420 cmdline: C:\Windows\SysWOW64\WerFault.exe -u -p 7028 -s 1472 MD5: C31336C1EFC2CCB44B4326EA793040F2)
  • MPGPH131.exe (PID: 6688 cmdline: C:\ProgramData\MPGPH131\MPGPH131.exe MD5: 446F080CD1ED262B4DD0C1FF2143297E)
    • WerFault.exe (PID: 7164 cmdline: C:\Windows\SysWOW64\WerFault.exe -u -p 6688 -s 804 MD5: C31336C1EFC2CCB44B4326EA793040F2)
    • WerFault.exe (PID: 2520 cmdline: C:\Windows\SysWOW64\WerFault.exe -u -p 6688 -s 928 MD5: C31336C1EFC2CCB44B4326EA793040F2)
    • WerFault.exe (PID: 4040 cmdline: C:\Windows\SysWOW64\WerFault.exe -u -p 6688 -s 964 MD5: C31336C1EFC2CCB44B4326EA793040F2)
  • MPGPH131.exe (PID: 6996 cmdline: C:\ProgramData\MPGPH131\MPGPH131.exe MD5: 446F080CD1ED262B4DD0C1FF2143297E)
    • WerFault.exe (PID: 5664 cmdline: C:\Windows\SysWOW64\WerFault.exe -u -p 6996 -s 780 MD5: C31336C1EFC2CCB44B4326EA793040F2)
    • WerFault.exe (PID: 6252 cmdline: C:\Windows\SysWOW64\WerFault.exe -u -p 6996 -s 892 MD5: C31336C1EFC2CCB44B4326EA793040F2)
    • WerFault.exe (PID: 6212 cmdline: C:\Windows\SysWOW64\WerFault.exe -u -p 6996 -s 924 MD5: C31336C1EFC2CCB44B4326EA793040F2)
    • WerFault.exe (PID: 3864 cmdline: C:\Windows\SysWOW64\WerFault.exe -u -p 6996 -s 884 MD5: C31336C1EFC2CCB44B4326EA793040F2)
  • RageMP131.exe (PID: 5164 cmdline: "C:\Users\user\AppData\Local\RageMP131\RageMP131.exe" MD5: 446F080CD1ED262B4DD0C1FF2143297E)
    • WerFault.exe (PID: 4884 cmdline: C:\Windows\SysWOW64\WerFault.exe -u -p 5164 -s 820 MD5: C31336C1EFC2CCB44B4326EA793040F2)
  • cleanup

Malware Configuration

No configs have been found

Yara Signatures

Dropped Files

SourceRuleDescriptionAuthorStrings
C:\Users\user\AppData\Local\Temp\c9bTQaLpRNBVsUoe4pkuQMW.zipJoeSecurity_RiseProStealerYara detected RisePro StealerJoe Security
    C:\Users\user\AppData\Local\Temp\6XWWeAeVicQTZ7HrJgfaAa9.zipJoeSecurity_RiseProStealerYara detected RisePro StealerJoe Security
      C:\Users\user\AppData\Local\Temp\7SoGIg_Dgh61RYTHw6zemBp.zipJoeSecurity_RiseProStealerYara detected RisePro StealerJoe Security

        Memory Dumps

        SourceRuleDescriptionAuthorStrings
        00000008.00000002.2510972800.0000000007981000.00000004.00000020.00020000.00000000.sdmpJoeSecurity_RiseProStealerYara detected RisePro StealerJoe Security
          0000001A.00000002.2495191919.000000000305E000.00000004.00000020.00020000.00000000.sdmpJoeSecurity_RiseProStealerYara detected RisePro StealerJoe Security
            00000009.00000002.2342275444.0000000002EF2000.00000004.00000020.00020000.00000000.sdmpJoeSecurity_CredentialStealerYara detected Credential StealerJoe Security
              00000000.00000002.2501929485.0000000007984000.00000004.00000020.00020000.00000000.sdmpJoeSecurity_RiseProStealerYara detected RisePro StealerJoe Security
                0000001A.00000002.2495000425.0000000002DAA000.00000040.00000020.00020000.00000000.sdmpWindows_Trojan_RedLineStealer_ed346e4cunknownunknown
                • 0x798:$a: 55 8B EC 8B 45 14 56 57 8B 7D 08 33 F6 89 47 0C 39 75 10 76 15 8B
                Click to see the 37 entries

                Unpacked PEs

                SourceRuleDescriptionAuthorStrings
                0.2.dendy.exe.400000.0.unpackJoeSecurity_RiseProStealerYara detected RisePro StealerJoe Security
                  8.2.MPGPH131.exe.4a60e67.1.raw.unpackJoeSecurity_RiseProStealerYara detected RisePro StealerJoe Security
                    26.2.RageMP131.exe.4a40e67.1.raw.unpackJoeSecurity_RiseProStealerYara detected RisePro StealerJoe Security
                      0.2.dendy.exe.4a80e67.1.raw.unpackJoeSecurity_RiseProStealerYara detected RisePro StealerJoe Security
                        26.2.RageMP131.exe.400000.0.unpackJoeSecurity_RiseProStealerYara detected RisePro StealerJoe Security
                          Click to see the 11 entries

                          Sigma Signatures

                          System Summary

                          barindex
                          Sigma detected: CurrentVersion Autorun Keys Modification
                          Source: Registry Key setAuthor: Victor Sergeev, Daniil Yugoslavskiy, Gleb Sukhodolskiy, Timur Zinniatullin, oscd.community, Tim Shelton, frack113 (split): Data: Details: C:\Users\user\AppData\Local\RageMP131\RageMP131.exe, EventID: 13, EventType: SetValue, Image: C:\Users\user\Desktop\dendy.exe, ProcessId: 7028, TargetObject: HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\RageMP131

                          Snort Signatures

                          Timestamp:04/18/24-09:41:54.899031
                          SID:2046269
                          Source Port:49731
                          Destination Port:58709
                          Protocol:TCP
                          Classtype:A Network Trojan was detected
                          Timestamp:04/18/24-09:41:16.817956
                          SID:2046267
                          Source Port:58709
                          Destination Port:49730
                          Protocol:TCP
                          Classtype:A Network Trojan was detected
                          Timestamp:04/18/24-09:41:09.663282
                          SID:2046266
                          Source Port:58709
                          Destination Port:49730
                          Protocol:TCP
                          Classtype:A Network Trojan was detected
                          Timestamp:04/18/24-09:41:53.335082
                          SID:2046269
                          Source Port:49730
                          Destination Port:58709
                          Protocol:TCP
                          Classtype:A Network Trojan was detected
                          Timestamp:04/18/24-09:42:13.250995
                          SID:2046269
                          Source Port:49746
                          Destination Port:58709
                          Protocol:TCP
                          Classtype:A Network Trojan was detected
                          Timestamp:04/18/24-09:41:09.471690
                          SID:2049060
                          Source Port:49730
                          Destination Port:58709
                          Protocol:TCP
                          Classtype:A Network Trojan was detected
                          Timestamp:04/18/24-09:42:02.523877
                          SID:2046269
                          Source Port:49739
                          Destination Port:58709
                          Protocol:TCP
                          Classtype:A Network Trojan was detected
                          Timestamp:04/18/24-09:41:13.824615
                          SID:2046266
                          Source Port:58709
                          Destination Port:49732
                          Protocol:TCP
                          Classtype:A Network Trojan was detected
                          Timestamp:04/18/24-09:41:13.499765
                          SID:2046266
                          Source Port:58709
                          Destination Port:49731
                          Protocol:TCP
                          Classtype:A Network Trojan was detected
                          Timestamp:04/18/24-09:41:43.723664
                          SID:2046267
                          Source Port:58709
                          Destination Port:49739
                          Protocol:TCP
                          Classtype:A Network Trojan was detected
                          Timestamp:04/18/24-09:41:19.788174
                          SID:2046267
                          Source Port:58709
                          Destination Port:49731
                          Protocol:TCP
                          Classtype:A Network Trojan was detected
                          Timestamp:04/18/24-09:41:19.803148
                          SID:2046267
                          Source Port:58709
                          Destination Port:49732
                          Protocol:TCP
                          Classtype:A Network Trojan was detected
                          Timestamp:04/18/24-09:41:29.078780
                          SID:2046266
                          Source Port:58709
                          Destination Port:49739
                          Protocol:TCP
                          Classtype:A Network Trojan was detected
                          Timestamp:04/18/24-09:41:54.901092
                          SID:2046269
                          Source Port:49732
                          Destination Port:58709
                          Protocol:TCP
                          Classtype:A Network Trojan was detected
                          Timestamp:04/18/24-09:41:36.448653
                          SID:2046266
                          Source Port:58709
                          Destination Port:49746
                          Protocol:TCP
                          Classtype:A Network Trojan was detected
                          Timestamp:04/18/24-09:41:43.865022
                          SID:2046267
                          Source Port:58709
                          Destination Port:49746
                          Protocol:TCP
                          Classtype:A Network Trojan was detected

                          Joe Sandbox Signatures

                          Click to jump to signature section

                          Show All Signature Results

                          AV Detection

                          barindex
                          Antivirus / Scanner detection for submitted sample
                          Source: dendy.exeAvira: detected
                          Antivirus detection for URL or domain
                          Source: http://193.233.132.167/cost/lenin.exeURL Reputation: Label: malware
                          Antivirus detection for dropped file
                          Source: C:\ProgramData\MPGPH131\MPGPH131.exeAvira: detection malicious, Label: TR/AVI.AceCrypter.tzrgz
                          Multi AV Scanner detection for domain / URL
                          Source: http://147.45.47.102:57893/hera/amadka.exeVirustotal: Detection: 15%Perma Link
                          Source: http://147.45.47.102:57893/hera/amadka.exe68.0Virustotal: Detection: 15%Perma Link
                          Source: http://193.233.132.167/cost/go.exeVirustotal: Detection: 24%Perma Link
                          Multi AV Scanner detection for dropped file
                          Source: C:\ProgramData\MPGPH131\MPGPH131.exeReversingLabs: Detection: 82%
                          Source: C:\ProgramData\MPGPH131\MPGPH131.exeVirustotal: Detection: 71%Perma Link
                          Source: C:\Users\user\AppData\Local\RageMP131\RageMP131.exeReversingLabs: Detection: 82%
                          Source: C:\Users\user\AppData\Local\RageMP131\RageMP131.exeVirustotal: Detection: 71%Perma Link
                          Multi AV Scanner detection for submitted file
                          Source: dendy.exeReversingLabs: Detection: 82%
                          Source: dendy.exeVirustotal: Detection: 71%Perma Link
                          Machine Learning detection for dropped file
                          Source: C:\ProgramData\MPGPH131\MPGPH131.exeJoe Sandbox ML: detected
                          Machine Learning detection for sample
                          Source: dendy.exeJoe Sandbox ML: detected
                          Source: C:\Users\user\Desktop\dendy.exeCode function: 0_2_0041F3EB CryptUnprotectData,LocalFree,0_2_0041F3EB
                          Source: C:\ProgramData\MPGPH131\MPGPH131.exeCode function: 8_2_0041F3EB CryptUnprotectData,LocalFree,8_2_0041F3EB

                          Compliance

                          barindex
                          Detected unpacking (overwrites its own PE header)
                          Source: C:\Users\user\Desktop\dendy.exeUnpacked PE file: 0.2.dendy.exe.400000.0.unpack
                          Source: C:\ProgramData\MPGPH131\MPGPH131.exeUnpacked PE file: 8.2.MPGPH131.exe.400000.0.unpack
                          Source: C:\ProgramData\MPGPH131\MPGPH131.exeUnpacked PE file: 9.2.MPGPH131.exe.400000.0.unpack
                          Source: C:\Users\user\AppData\Local\RageMP131\RageMP131.exeUnpacked PE file: 26.2.RageMP131.exe.400000.0.unpack
                          Source: dendy.exeStatic PE information: RELOCS_STRIPPED, EXECUTABLE_IMAGE, 32BIT_MACHINE
                          Source: C:\Users\user\Desktop\dendy.exeFile opened: C:\Windows\SysWOW64\msvcr100.dllJump to behavior
                          Source: unknownHTTPS traffic detected: 34.117.186.192:443 -> 192.168.2.4:49733 version: TLS 1.2
                          Source: unknownHTTPS traffic detected: 104.26.5.15:443 -> 192.168.2.4:49735 version: TLS 1.2
                          Source: unknownHTTPS traffic detected: 34.117.186.192:443 -> 192.168.2.4:49740 version: TLS 1.2
                          Source: unknownHTTPS traffic detected: 34.117.186.192:443 -> 192.168.2.4:49741 version: TLS 1.2
                          Source: unknownHTTPS traffic detected: 104.26.5.15:443 -> 192.168.2.4:49743 version: TLS 1.2
                          Source: unknownHTTPS traffic detected: 104.26.5.15:443 -> 192.168.2.4:49744 version: TLS 1.2
                          Source: unknownHTTPS traffic detected: 34.117.186.192:443 -> 192.168.2.4:49747 version: TLS 1.2
                          Source: unknownHTTPS traffic detected: 34.117.186.192:443 -> 192.168.2.4:49748 version: TLS 1.2
                          Source: unknownHTTPS traffic detected: 104.26.5.15:443 -> 192.168.2.4:49749 version: TLS 1.2
                          Source: unknownHTTPS traffic detected: 104.26.5.15:443 -> 192.168.2.4:49750 version: TLS 1.2
                          Source: C:\Users\user\Desktop\dendy.exeCode function: 0_2_0040E7B0 CreateDirectoryA,FindFirstFileA,CreateDirectoryA,CopyFileA,FindNextFileA,FindClose,GetLastError,GetLastError,CreateDirectoryA,SHGetFolderPathA,CreateDirectoryA,CreateDirectoryA,CreateDirectoryA,CreateDirectoryA,0_2_0040E7B0
                          Source: C:\Users\user\Desktop\dendy.exeCode function: 0_2_004DB1CB FindClose,FindFirstFileExW,GetLastError,0_2_004DB1CB
                          Source: C:\Users\user\Desktop\dendy.exeCode function: 0_2_0040B300 GetDateFormatW,FindFirstFileA,SetFileAttributesA,DeleteFileA,FindNextFileA,FindClose,GetLastError,SetFileAttributesA,GetLastError,RemoveDirectoryA,GetLastError,GetLastError,std::_Throw_Cpp_error,std::_Throw_Cpp_error,0_2_0040B300
                          Source: C:\Users\user\Desktop\dendy.exeCode function: 0_2_0041FA10 FindFirstFileA,FindNextFileA,GetLastError,FindClose,0_2_0041FA10
                          Source: C:\ProgramData\MPGPH131\MPGPH131.exeCode function: 8_2_0040E7B0 CreateDirectoryA,FindFirstFileA,CreateDirectoryA,CopyFileA,FindNextFileA,FindClose,GetLastError,GetLastError,CreateDirectoryA,SHGetFolderPathA,CreateDirectoryA,CreateDirectoryA,CreateDirectoryA,CreateDirectoryA,8_2_0040E7B0
                          Source: C:\ProgramData\MPGPH131\MPGPH131.exeCode function: 8_2_004DB1CB FindClose,FindFirstFileExW,GetLastError,8_2_004DB1CB
                          Source: C:\ProgramData\MPGPH131\MPGPH131.exeCode function: 8_2_0040B300 GetDateFormatW,FindFirstFileA,SetFileAttributesA,DeleteFileA,FindNextFileA,FindClose,GetLastError,SetFileAttributesA,GetLastError,RemoveDirectoryA,GetLastError,GetLastError,std::_Throw_Cpp_error,std::_Throw_Cpp_error,8_2_0040B300
                          Source: C:\ProgramData\MPGPH131\MPGPH131.exeCode function: 8_2_0041FA10 FindFirstFileA,FindNextFileA,GetLastError,FindClose,8_2_0041FA10
                          Source: C:\ProgramData\MPGPH131\MPGPH131.exeCode function: 8_2_0043EAEB FindFirstFileA,FindNextFileA,FindClose,CreateDirectoryA,CreateDirectoryA,CreateDirectoryA,CopyFileA,CreateDirectoryA,CopyFileA,CopyFileA,8_2_0043EAEB
                          Source: C:\ProgramData\MPGPH131\MPGPH131.exeCode function: 8_2_004DB251 GetFileAttributesExW,GetLastError,FindFirstFileW,GetLastError,FindClose,___std_fs_open_handle@16,GetFileInformationByHandleEx,GetLastError,GetFileInformationByHandleEx,GetFileInformationByHandleEx,8_2_004DB251
                          Source: C:\ProgramData\MPGPH131\MPGPH131.exeCode function: 8_2_0043FBB9 FindFirstFileA,FindNextFileA,GetLastError,FindClose,CreateFileA,GetFileSize,ReadFile,CloseHandle,8_2_0043FBB9
                          Source: C:\ProgramData\MPGPH131\MPGPH131.exeCode function: 8_2_04B3B4B8 GetFileAttributesExW,GetLastError,FindFirstFileW,GetLastError,FindClose,___std_fs_open_handle@16,GetFileInformationByHandleEx,GetLastError,GetFileInformationByHandleEx,GetFileInformationByHandleEx,8_2_04B3B4B8
                          Source: C:\ProgramData\MPGPH131\MPGPH131.exeCode function: 8_2_04B3B432 FindClose,FindFirstFileExW,GetLastError,8_2_04B3B432
                          Source: C:\Windows\SysWOW64\WerFault.exeFile opened: C:\ProgramData\Microsoft\Windows\WER\ReportQueue\
                          Source: C:\Windows\SysWOW64\WerFault.exeFile opened: C:\ProgramData\Microsoft\Windows\
                          Source: C:\Windows\SysWOW64\WerFault.exeFile opened: C:\ProgramData\Microsoft\Windows\WER\
                          Source: C:\Windows\SysWOW64\WerFault.exeFile opened: C:\ProgramData\Microsoft\Windows\WER\ReportQueue
                          Source: C:\Windows\SysWOW64\WerFault.exeFile opened: C:\ProgramData\Microsoft\Windows\WER\ReportQueue\AppCrash_dendy.exe_aa9f15d75e87e911f42a0812ef56c2977edd110_fa985918_b25a0167-156e-47da-8b75-d9e08c1e0ac7\
                          Source: C:\Windows\SysWOW64\WerFault.exeFile opened: C:\ProgramData\Microsoft\Windows\WER\ReportQueue\AppCrash_MPGPH131.exe_8da9ded6fcd3711f80e32889caff945e9691e_62a9ba1a_4f7c52ae-a147-40d8-a3f2-8a9bebe00511\

                          Networking

                          barindex
                          Snort IDS alert for network traffic
                          Source: TrafficSnort IDS: 2049060 ET TROJAN RisePro TCP Heartbeat Packet 192.168.2.4:49730 -> 147.45.47.93:58709
                          Source: TrafficSnort IDS: 2046266 ET TROJAN [ANY.RUN] RisePro TCP (Token) 147.45.47.93:58709 -> 192.168.2.4:49730
                          Source: TrafficSnort IDS: 2046269 ET TROJAN [ANY.RUN] RisePro TCP (Activity) 192.168.2.4:49730 -> 147.45.47.93:58709
                          Source: TrafficSnort IDS: 2046266 ET TROJAN [ANY.RUN] RisePro TCP (Token) 147.45.47.93:58709 -> 192.168.2.4:49731
                          Source: TrafficSnort IDS: 2046266 ET TROJAN [ANY.RUN] RisePro TCP (Token) 147.45.47.93:58709 -> 192.168.2.4:49732
                          Source: TrafficSnort IDS: 2046269 ET TROJAN [ANY.RUN] RisePro TCP (Activity) 192.168.2.4:49731 -> 147.45.47.93:58709
                          Source: TrafficSnort IDS: 2046267 ET TROJAN [ANY.RUN] RisePro TCP (External IP) 147.45.47.93:58709 -> 192.168.2.4:49730
                          Source: TrafficSnort IDS: 2046269 ET TROJAN [ANY.RUN] RisePro TCP (Activity) 192.168.2.4:49732 -> 147.45.47.93:58709
                          Source: TrafficSnort IDS: 2046267 ET TROJAN [ANY.RUN] RisePro TCP (External IP) 147.45.47.93:58709 -> 192.168.2.4:49731
                          Source: TrafficSnort IDS: 2046267 ET TROJAN [ANY.RUN] RisePro TCP (External IP) 147.45.47.93:58709 -> 192.168.2.4:49732
                          Source: TrafficSnort IDS: 2046266 ET TROJAN [ANY.RUN] RisePro TCP (Token) 147.45.47.93:58709 -> 192.168.2.4:49739
                          Source: TrafficSnort IDS: 2046269 ET TROJAN [ANY.RUN] RisePro TCP (Activity) 192.168.2.4:49739 -> 147.45.47.93:58709
                          Source: TrafficSnort IDS: 2046266 ET TROJAN [ANY.RUN] RisePro TCP (Token) 147.45.47.93:58709 -> 192.168.2.4:49746
                          Source: TrafficSnort IDS: 2046269 ET TROJAN [ANY.RUN] RisePro TCP (Activity) 192.168.2.4:49746 -> 147.45.47.93:58709
                          Source: TrafficSnort IDS: 2046267 ET TROJAN [ANY.RUN] RisePro TCP (External IP) 147.45.47.93:58709 -> 192.168.2.4:49739
                          Source: TrafficSnort IDS: 2046267 ET TROJAN [ANY.RUN] RisePro TCP (External IP) 147.45.47.93:58709 -> 192.168.2.4:49746
                          Connects to many ports of the same IP (likely port scanning)
                          Source: global trafficTCP traffic: 147.45.47.93 ports 0,5,7,8,58709,9
                          Source: global trafficTCP traffic: 192.168.2.4:49730 -> 147.45.47.93:58709
                          Source: Joe Sandbox ViewIP Address: 34.117.186.192 34.117.186.192
                          Source: Joe Sandbox ViewIP Address: 34.117.186.192 34.117.186.192
                          Source: Joe Sandbox ViewIP Address: 147.45.47.93 147.45.47.93
                          Source: Joe Sandbox ViewIP Address: 104.26.5.15 104.26.5.15
                          Source: Joe Sandbox ViewASN Name: FREE-NET-ASFREEnetEU FREE-NET-ASFREEnetEU
                          Source: Joe Sandbox ViewJA3 fingerprint: a0e9f5d64349fb13191bc781f81f42e1
                          Source: unknownDNS query: name: ipinfo.io
                          Source: unknownDNS query: name: ipinfo.io
                          Source: global trafficHTTP traffic detected: GET /widget/demo/81.181.57.52 HTTP/1.1Connection: Keep-AliveReferer: https://ipinfo.io/User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/119.0.0.0 Safari/537.36Host: ipinfo.io
                          Source: global trafficHTTP traffic detected: GET /demo/home.php?s=81.181.57.52 HTTP/1.1Connection: Keep-AliveContent-Type: application/x-www-form-urlencodedUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/119.0.0.0 Safari/537.36Host: db-ip.com
                          Source: global trafficHTTP traffic detected: GET /widget/demo/81.181.57.52 HTTP/1.1Connection: Keep-AliveReferer: https://ipinfo.io/User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/119.0.0.0 Safari/537.36Host: ipinfo.io
                          Source: global trafficHTTP traffic detected: GET /widget/demo/81.181.57.52 HTTP/1.1Connection: Keep-AliveReferer: https://ipinfo.io/User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/119.0.0.0 Safari/537.36Host: ipinfo.io
                          Source: global trafficHTTP traffic detected: GET /demo/home.php?s=81.181.57.52 HTTP/1.1Connection: Keep-AliveContent-Type: application/x-www-form-urlencodedUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/119.0.0.0 Safari/537.36Host: db-ip.com
                          Source: global trafficHTTP traffic detected: GET /demo/home.php?s=81.181.57.52 HTTP/1.1Connection: Keep-AliveContent-Type: application/x-www-form-urlencodedUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/119.0.0.0 Safari/537.36Host: db-ip.com
                          Source: global trafficHTTP traffic detected: GET /widget/demo/81.181.57.52 HTTP/1.1Connection: Keep-AliveReferer: https://ipinfo.io/User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/119.0.0.0 Safari/537.36Host: ipinfo.io
                          Source: global trafficHTTP traffic detected: GET /widget/demo/81.181.57.52 HTTP/1.1Connection: Keep-AliveReferer: https://ipinfo.io/User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/119.0.0.0 Safari/537.36Host: ipinfo.io
                          Source: global trafficHTTP traffic detected: GET /demo/home.php?s=81.181.57.52 HTTP/1.1Connection: Keep-AliveContent-Type: application/x-www-form-urlencodedUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/119.0.0.0 Safari/537.36Host: db-ip.com
                          Source: global trafficHTTP traffic detected: GET /demo/home.php?s=81.181.57.52 HTTP/1.1Connection: Keep-AliveContent-Type: application/x-www-form-urlencodedUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/119.0.0.0 Safari/537.36Host: db-ip.com
                          Source: unknownTCP traffic detected without corresponding DNS query: 147.45.47.93
                          Source: unknownTCP traffic detected without corresponding DNS query: 147.45.47.93
                          Source: unknownTCP traffic detected without corresponding DNS query: 147.45.47.93
                          Source: unknownTCP traffic detected without corresponding DNS query: 147.45.47.93
                          Source: unknownTCP traffic detected without corresponding DNS query: 147.45.47.93
                          Source: unknownTCP traffic detected without corresponding DNS query: 147.45.47.93
                          Source: unknownTCP traffic detected without corresponding DNS query: 147.45.47.93
                          Source: unknownTCP traffic detected without corresponding DNS query: 147.45.47.93
                          Source: unknownTCP traffic detected without corresponding DNS query: 147.45.47.93
                          Source: unknownTCP traffic detected without corresponding DNS query: 147.45.47.93
                          Source: unknownTCP traffic detected without corresponding DNS query: 147.45.47.93
                          Source: unknownTCP traffic detected without corresponding DNS query: 147.45.47.93
                          Source: unknownTCP traffic detected without corresponding DNS query: 147.45.47.93
                          Source: unknownTCP traffic detected without corresponding DNS query: 147.45.47.93
                          Source: unknownTCP traffic detected without corresponding DNS query: 147.45.47.93
                          Source: unknownTCP traffic detected without corresponding DNS query: 147.45.47.93
                          Source: unknownTCP traffic detected without corresponding DNS query: 147.45.47.93
                          Source: unknownTCP traffic detected without corresponding DNS query: 147.45.47.93
                          Source: unknownTCP traffic detected without corresponding DNS query: 147.45.47.93
                          Source: unknownTCP traffic detected without corresponding DNS query: 147.45.47.93
                          Source: unknownTCP traffic detected without corresponding DNS query: 147.45.47.93
                          Source: unknownTCP traffic detected without corresponding DNS query: 147.45.47.93
                          Source: unknownTCP traffic detected without corresponding DNS query: 147.45.47.93
                          Source: unknownTCP traffic detected without corresponding DNS query: 147.45.47.93
                          Source: unknownTCP traffic detected without corresponding DNS query: 147.45.47.93
                          Source: unknownTCP traffic detected without corresponding DNS query: 147.45.47.93
                          Source: unknownTCP traffic detected without corresponding DNS query: 147.45.47.93
                          Source: unknownTCP traffic detected without corresponding DNS query: 147.45.47.93
                          Source: unknownTCP traffic detected without corresponding DNS query: 147.45.47.93
                          Source: unknownTCP traffic detected without corresponding DNS query: 147.45.47.93
                          Source: unknownTCP traffic detected without corresponding DNS query: 147.45.47.93
                          Source: unknownTCP traffic detected without corresponding DNS query: 147.45.47.93
                          Source: unknownTCP traffic detected without corresponding DNS query: 147.45.47.93
                          Source: unknownTCP traffic detected without corresponding DNS query: 147.45.47.93
                          Source: unknownTCP traffic detected without corresponding DNS query: 147.45.47.93
                          Source: unknownTCP traffic detected without corresponding DNS query: 147.45.47.93
                          Source: unknownTCP traffic detected without corresponding DNS query: 147.45.47.93
                          Source: unknownTCP traffic detected without corresponding DNS query: 147.45.47.93
                          Source: unknownTCP traffic detected without corresponding DNS query: 147.45.47.93
                          Source: unknownTCP traffic detected without corresponding DNS query: 147.45.47.93
                          Source: unknownTCP traffic detected without corresponding DNS query: 147.45.47.93
                          Source: unknownTCP traffic detected without corresponding DNS query: 147.45.47.93
                          Source: unknownTCP traffic detected without corresponding DNS query: 147.45.47.93
                          Source: unknownTCP traffic detected without corresponding DNS query: 147.45.47.93
                          Source: unknownTCP traffic detected without corresponding DNS query: 147.45.47.93
                          Source: unknownTCP traffic detected without corresponding DNS query: 147.45.47.93
                          Source: unknownTCP traffic detected without corresponding DNS query: 147.45.47.93
                          Source: unknownTCP traffic detected without corresponding DNS query: 147.45.47.93
                          Source: unknownTCP traffic detected without corresponding DNS query: 147.45.47.93
                          Source: unknownTCP traffic detected without corresponding DNS query: 147.45.47.93
                          Source: C:\Users\user\Desktop\dendy.exeCode function: 0_2_0041E220 recv,setsockopt,recv,WSAGetLastError,recv,recv,setsockopt,recv,recv,recv,__Xtime_get_ticks,__ehfuncinfo$??2@YAPAXIABUnothrow_t@std@@@Z,Sleep,Sleep,0_2_0041E220
                          Source: global trafficHTTP traffic detected: GET /widget/demo/81.181.57.52 HTTP/1.1Connection: Keep-AliveReferer: https://ipinfo.io/User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/119.0.0.0 Safari/537.36Host: ipinfo.io
                          Source: global trafficHTTP traffic detected: GET /demo/home.php?s=81.181.57.52 HTTP/1.1Connection: Keep-AliveContent-Type: application/x-www-form-urlencodedUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/119.0.0.0 Safari/537.36Host: db-ip.com
                          Source: global trafficHTTP traffic detected: GET /widget/demo/81.181.57.52 HTTP/1.1Connection: Keep-AliveReferer: https://ipinfo.io/User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/119.0.0.0 Safari/537.36Host: ipinfo.io
                          Source: global trafficHTTP traffic detected: GET /widget/demo/81.181.57.52 HTTP/1.1Connection: Keep-AliveReferer: https://ipinfo.io/User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/119.0.0.0 Safari/537.36Host: ipinfo.io
                          Source: global trafficHTTP traffic detected: GET /demo/home.php?s=81.181.57.52 HTTP/1.1Connection: Keep-AliveContent-Type: application/x-www-form-urlencodedUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/119.0.0.0 Safari/537.36Host: db-ip.com
                          Source: global trafficHTTP traffic detected: GET /demo/home.php?s=81.181.57.52 HTTP/1.1Connection: Keep-AliveContent-Type: application/x-www-form-urlencodedUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/119.0.0.0 Safari/537.36Host: db-ip.com
                          Source: global trafficHTTP traffic detected: GET /widget/demo/81.181.57.52 HTTP/1.1Connection: Keep-AliveReferer: https://ipinfo.io/User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/119.0.0.0 Safari/537.36Host: ipinfo.io
                          Source: global trafficHTTP traffic detected: GET /widget/demo/81.181.57.52 HTTP/1.1Connection: Keep-AliveReferer: https://ipinfo.io/User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/119.0.0.0 Safari/537.36Host: ipinfo.io
                          Source: global trafficHTTP traffic detected: GET /demo/home.php?s=81.181.57.52 HTTP/1.1Connection: Keep-AliveContent-Type: application/x-www-form-urlencodedUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/119.0.0.0 Safari/537.36Host: db-ip.com
                          Source: global trafficHTTP traffic detected: GET /demo/home.php?s=81.181.57.52 HTTP/1.1Connection: Keep-AliveContent-Type: application/x-www-form-urlencodedUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/119.0.0.0 Safari/537.36Host: db-ip.com
                          Source: unknownDNS traffic detected: queries for: ipinfo.io
                          Source: dendy.exe, 00000000.00000002.2500954846.0000000002EB5000.00000004.00000020.00020000.00000000.sdmp, dendy.exe, 00000000.00000003.2415846117.0000000002EB5000.00000004.00000020.00020000.00000000.sdmp, MPGPH131.exe, 00000008.00000002.2508595887.0000000002F92000.00000004.00000020.00020000.00000000.sdmp, MPGPH131.exe, 00000009.00000002.2342275444.0000000002EF2000.00000004.00000020.00020000.00000000.sdmp, RageMP131.exe, 0000001A.00000003.2218615210.00000000030D4000.00000004.00000020.00020000.00000000.sdmp, RageMP131.exe, 0000001A.00000002.2495191919.00000000030D4000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://147.45.47.102:57893/hera/amadka.exe
                          Source: MPGPH131.exe, 00000009.00000002.2342275444.0000000002EF2000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://147.45.47.102:57893/hera/amadka.exe2
                          Source: dendy.exe, 00000000.00000002.2500954846.0000000002EB5000.00000004.00000020.00020000.00000000.sdmp, dendy.exe, 00000000.00000003.2415846117.0000000002EB5000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://147.45.47.102:57893/hera/amadka.exe6
                          Source: RageMP131.exe, 0000001A.00000003.2218615210.00000000030D4000.00000004.00000020.00020000.00000000.sdmp, RageMP131.exe, 0000001A.00000002.2495191919.00000000030D4000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://147.45.47.102:57893/hera/amadka.exe68.0
                          Source: MPGPH131.exe, 00000009.00000002.2342275444.0000000002EF2000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://147.45.47.102:57893/hera/amadka.exeCH
                          Source: MPGPH131.exe, 00000009.00000002.2342275444.0000000002EF2000.00000004.00000020.00020000.00000000.sdmp, RageMP131.exe, 0000001A.00000003.2218615210.00000000030D4000.00000004.00000020.00020000.00000000.sdmp, RageMP131.exe, 0000001A.00000002.2495191919.00000000030D4000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://193.233.132.167/cost/go.exe
                          Source: RageMP131.exe, 0000001A.00000003.2218615210.00000000030D4000.00000004.00000020.00020000.00000000.sdmp, RageMP131.exe, 0000001A.00000002.2495191919.00000000030D4000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://193.233.132.167/cost/go.exeadka.ex
                          Source: MPGPH131.exe, 00000008.00000002.2510972800.0000000007967000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://193.233.132.167/cost/go.exedka.exeuKRx
                          Source: MPGPH131.exe, 00000009.00000002.2342275444.0000000002EF2000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://193.233.132.167/cost/go.exehoin5
                          Source: MPGPH131.exe, 00000008.00000002.2508595887.0000000002F92000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://193.233.132.167/cost/go.exeisepro_botj
                          Source: RageMP131.exe, 0000001A.00000003.2218615210.00000000030D4000.00000004.00000020.00020000.00000000.sdmp, RageMP131.exe, 0000001A.00000002.2495191919.00000000030D4000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://193.233.132.167/cost/lenin.exe
                          Source: dendy.exe, 00000000.00000002.2501929485.0000000007968000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://193.233.132.167/cost/lenin.exe.exe/HS2
                          Source: dendy.exe, 00000000.00000002.2500954846.0000000002EB5000.00000004.00000020.00020000.00000000.sdmp, dendy.exe, 00000000.00000003.2415846117.0000000002EB5000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://193.233.132.167/cost/lenin.exe192.168.0gA
                          Source: RageMP131.exe, 0000001A.00000002.2496030568.0000000007967000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://193.233.132.167/cost/lenin.exe_tenant_idr
                          Source: MPGPH131.exe, 00000009.00000002.2342275444.0000000002EF2000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://193.233.132.167/cost/lenin.exeania)
                          Source: MPGPH131.exe, 00000009.00000002.2342275444.0000000002EF2000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://193.233.132.167/cost/lenin.exenesCH
                          Source: Amcache.hve.7.drString found in binary or memory: http://upx.sf.net
                          Source: dendy.exe, dendy.exe, 00000000.00000002.2501387878.0000000004A80000.00000040.00001000.00020000.00000000.sdmp, dendy.exe, 00000000.00000002.2499170949.0000000000400000.00000040.00000001.01000000.00000003.sdmp, dendy.exe, 00000000.00000003.1719048251.0000000004BD0000.00000004.00001000.00020000.00000000.sdmp, MPGPH131.exe, MPGPH131.exe, 00000008.00000002.2510035968.0000000004A60000.00000040.00001000.00020000.00000000.sdmp, MPGPH131.exe, 00000008.00000003.1754038237.0000000004BB0000.00000004.00001000.00020000.00000000.sdmp, MPGPH131.exe, 00000008.00000002.2506460203.0000000000400000.00000040.00000001.01000000.00000005.sdmp, MPGPH131.exe, 00000009.00000002.2340303087.0000000000400000.00000040.00000001.01000000.00000005.sdmp, MPGPH131.exe, 00000009.00000003.1754837586.0000000004BC0000.00000004.00001000.00020000.00000000.sdmp, MPGPH131.exe, 00000009.00000002.2343384935.0000000004A70000.00000040.00001000.00020000.00000000.sdmp, RageMP131.exe, 0000001A.00000002.2495613605.0000000004A40000.00000040.00001000.00020000.00000000.sdmp, RageMP131.exe, 0000001A.00000002.2493907103.0000000000400000.00000040.00000001.01000000.00000006.sdmp, RageMP131.exe, 0000001A.00000003.1896337586.0000000004B90000.00000004.00001000.00020000.00000000.sdmpString found in binary or memory: http://www.winimage.com/zLibDll
                          Source: dendy.exe, 00000000.00000002.2501387878.0000000004A80000.00000040.00001000.00020000.00000000.sdmp, dendy.exe, 00000000.00000002.2499170949.0000000000400000.00000040.00000001.01000000.00000003.sdmp, dendy.exe, 00000000.00000003.1719048251.0000000004BD0000.00000004.00001000.00020000.00000000.sdmp, MPGPH131.exe, 00000008.00000002.2510035968.0000000004A60000.00000040.00001000.00020000.00000000.sdmp, MPGPH131.exe, 00000008.00000003.1754038237.0000000004BB0000.00000004.00001000.00020000.00000000.sdmp, MPGPH131.exe, 00000008.00000002.2506460203.0000000000400000.00000040.00000001.01000000.00000005.sdmp, MPGPH131.exe, 00000009.00000002.2340303087.0000000000400000.00000040.00000001.01000000.00000005.sdmp, MPGPH131.exe, 00000009.00000003.1754837586.0000000004BC0000.00000004.00001000.00020000.00000000.sdmp, MPGPH131.exe, 00000009.00000002.2343384935.0000000004A70000.00000040.00001000.00020000.00000000.sdmp, RageMP131.exe, 0000001A.00000002.2495613605.0000000004A40000.00000040.00001000.00020000.00000000.sdmp, RageMP131.exe, 0000001A.00000002.2493907103.0000000000400000.00000040.00000001.01000000.00000006.sdmp, RageMP131.exe, 0000001A.00000003.1896337586.0000000004B90000.00000004.00001000.00020000.00000000.sdmpString found in binary or memory: http://www.winimage.com/zLibDllDpRTpR
                          Source: dendy.exe, 00000000.00000003.2190337967.00000000079D7000.00000004.00000020.00020000.00000000.sdmp, dendy.exe, 00000000.00000003.2185569564.00000000079BB000.00000004.00000020.00020000.00000000.sdmp, dendy.exe, 00000000.00000003.2186887342.00000000079CE000.00000004.00000020.00020000.00000000.sdmp, MPGPH131.exe, 00000008.00000003.2221361449.00000000079D9000.00000004.00000020.00020000.00000000.sdmp, MPGPH131.exe, 00000008.00000003.2217856798.00000000079A9000.00000004.00000020.00020000.00000000.sdmp, MPGPH131.exe, 00000008.00000003.2219324558.00000000079C9000.00000004.00000020.00020000.00000000.sdmp, MPGPH131.exe, 00000009.00000003.2208409406.0000000007866000.00000004.00000020.00020000.00000000.sdmp, MPGPH131.exe, 00000009.00000003.2210859373.0000000007883000.00000004.00000020.00020000.00000000.sdmp, MPGPH131.exe, 00000009.00000003.2207337910.0000000007843000.00000004.00000020.00020000.00000000.sdmp, RageMP131.exe, 0000001A.00000003.2254070104.00000000079A8000.00000004.00000020.00020000.00000000.sdmp, RageMP131.exe, 0000001A.00000003.2256092823.0000000007996000.00000004.00000020.00020000.00000000.sdmp, RageMP131.exe, 0000001A.00000003.2253005024.0000000007977000.00000004.00000020.00020000.00000000.sdmp, FDWjNP4RsRAAWeb Data.9.dr, xjqD6LmmUXwRWeb Data.26.dr, jivh3ZMPe0AVWeb Data.0.dr, UilUp13UfaxJWeb Data.0.dr, o47QYaSXnflcWeb Data.9.dr, 0SUQ0f15JMK7Web Data.26.dr, wUqBSbUei7PhWeb Data.0.dr, 2l02O9W1_FhwWeb Data.9.dr, NuTl_5zQHhB1Web Data.26.drString found in binary or memory: https://ac.ecosia.org/autocomplete?q=
                          Source: dendy.exe, 00000000.00000003.2190337967.00000000079D7000.00000004.00000020.00020000.00000000.sdmp, dendy.exe, 00000000.00000003.2185569564.00000000079BB000.00000004.00000020.00020000.00000000.sdmp, dendy.exe, 00000000.00000003.2186887342.00000000079CE000.00000004.00000020.00020000.00000000.sdmp, MPGPH131.exe, 00000008.00000003.2221361449.00000000079D9000.00000004.00000020.00020000.00000000.sdmp, MPGPH131.exe, 00000008.00000003.2217856798.00000000079A9000.00000004.00000020.00020000.00000000.sdmp, MPGPH131.exe, 00000008.00000003.2219324558.00000000079C9000.00000004.00000020.00020000.00000000.sdmp, MPGPH131.exe, 00000009.00000003.2208409406.0000000007866000.00000004.00000020.00020000.00000000.sdmp, MPGPH131.exe, 00000009.00000003.2210859373.0000000007883000.00000004.00000020.00020000.00000000.sdmp, MPGPH131.exe, 00000009.00000003.2207337910.0000000007843000.00000004.00000020.00020000.00000000.sdmp, RageMP131.exe, 0000001A.00000003.2254070104.00000000079A8000.00000004.00000020.00020000.00000000.sdmp, RageMP131.exe, 0000001A.00000003.2256092823.0000000007996000.00000004.00000020.00020000.00000000.sdmp, RageMP131.exe, 0000001A.00000003.2253005024.0000000007977000.00000004.00000020.00020000.00000000.sdmp, FDWjNP4RsRAAWeb Data.9.dr, xjqD6LmmUXwRWeb Data.26.dr, jivh3ZMPe0AVWeb Data.0.dr, UilUp13UfaxJWeb Data.0.dr, o47QYaSXnflcWeb Data.9.dr, 0SUQ0f15JMK7Web Data.26.dr, wUqBSbUei7PhWeb Data.0.dr, 2l02O9W1_FhwWeb Data.9.dr, NuTl_5zQHhB1Web Data.26.drString found in binary or memory: https://cdn.ecosia.org/assets/images/ico/favicon.icohttps://www.ecosia.org/search?q=
                          Source: dendy.exe, 00000000.00000003.2190337967.00000000079D7000.00000004.00000020.00020000.00000000.sdmp, dendy.exe, 00000000.00000003.2185569564.00000000079BB000.00000004.00000020.00020000.00000000.sdmp, dendy.exe, 00000000.00000003.2186887342.00000000079CE000.00000004.00000020.00020000.00000000.sdmp, MPGPH131.exe, 00000008.00000003.2221361449.00000000079D9000.00000004.00000020.00020000.00000000.sdmp, MPGPH131.exe, 00000008.00000003.2217856798.00000000079A9000.00000004.00000020.00020000.00000000.sdmp, MPGPH131.exe, 00000008.00000003.2219324558.00000000079C9000.00000004.00000020.00020000.00000000.sdmp, MPGPH131.exe, 00000009.00000003.2208409406.0000000007866000.00000004.00000020.00020000.00000000.sdmp, MPGPH131.exe, 00000009.00000003.2210859373.0000000007883000.00000004.00000020.00020000.00000000.sdmp, MPGPH131.exe, 00000009.00000003.2207337910.0000000007843000.00000004.00000020.00020000.00000000.sdmp, RageMP131.exe, 0000001A.00000003.2254070104.00000000079A8000.00000004.00000020.00020000.00000000.sdmp, RageMP131.exe, 0000001A.00000003.2256092823.0000000007996000.00000004.00000020.00020000.00000000.sdmp, RageMP131.exe, 0000001A.00000003.2253005024.0000000007977000.00000004.00000020.00020000.00000000.sdmp, FDWjNP4RsRAAWeb Data.9.dr, xjqD6LmmUXwRWeb Data.26.dr, jivh3ZMPe0AVWeb Data.0.dr, UilUp13UfaxJWeb Data.0.dr, o47QYaSXnflcWeb Data.9.dr, 0SUQ0f15JMK7Web Data.26.dr, wUqBSbUei7PhWeb Data.0.dr, 2l02O9W1_FhwWeb Data.9.dr, NuTl_5zQHhB1Web Data.26.drString found in binary or memory: https://ch.search.yahoo.com/favicon.icohttps://ch.search.yahoo.com/search
                          Source: dendy.exe, 00000000.00000003.2190337967.00000000079D7000.00000004.00000020.00020000.00000000.sdmp, dendy.exe, 00000000.00000003.2185569564.00000000079BB000.00000004.00000020.00020000.00000000.sdmp, dendy.exe, 00000000.00000003.2186887342.00000000079CE000.00000004.00000020.00020000.00000000.sdmp, MPGPH131.exe, 00000008.00000003.2221361449.00000000079D9000.00000004.00000020.00020000.00000000.sdmp, MPGPH131.exe, 00000008.00000003.2217856798.00000000079A9000.00000004.00000020.00020000.00000000.sdmp, MPGPH131.exe, 00000008.00000003.2219324558.00000000079C9000.00000004.00000020.00020000.00000000.sdmp, MPGPH131.exe, 00000009.00000003.2208409406.0000000007866000.00000004.00000020.00020000.00000000.sdmp, MPGPH131.exe, 00000009.00000003.2210859373.0000000007883000.00000004.00000020.00020000.00000000.sdmp, MPGPH131.exe, 00000009.00000003.2207337910.0000000007843000.00000004.00000020.00020000.00000000.sdmp, RageMP131.exe, 0000001A.00000003.2254070104.00000000079A8000.00000004.00000020.00020000.00000000.sdmp, RageMP131.exe, 0000001A.00000003.2256092823.0000000007996000.00000004.00000020.00020000.00000000.sdmp, RageMP131.exe, 0000001A.00000003.2253005024.0000000007977000.00000004.00000020.00020000.00000000.sdmp, FDWjNP4RsRAAWeb Data.9.dr, xjqD6LmmUXwRWeb Data.26.dr, jivh3ZMPe0AVWeb Data.0.dr, UilUp13UfaxJWeb Data.0.dr, o47QYaSXnflcWeb Data.9.dr, 0SUQ0f15JMK7Web Data.26.dr, wUqBSbUei7PhWeb Data.0.dr, 2l02O9W1_FhwWeb Data.9.dr, NuTl_5zQHhB1Web Data.26.drString found in binary or memory: https://ch.search.yahoo.com/sugg/chrome?output=fxjson&appid=crmas&command=
                          Source: MPGPH131.exe, 00000009.00000003.2119466041.0000000002EF2000.00000004.00000020.00020000.00000000.sdmp, RageMP131.exe, 0000001A.00000003.2218615210.00000000030D4000.00000004.00000020.00020000.00000000.sdmp, RageMP131.exe, 0000001A.00000002.2495191919.00000000030D4000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://db-ip.com/
                          Source: MPGPH131.exe, 00000008.00000002.2508595887.0000000002F92000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://db-ip.com/GIG
                          Source: dendy.exe, 00000000.00000002.2500954846.0000000002EB5000.00000004.00000020.00020000.00000000.sdmp, dendy.exe, 00000000.00000003.2415846117.0000000002EB5000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://db-ip.com/ZMru
                          Source: MPGPH131.exe, 00000008.00000002.2508595887.0000000002F92000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://db-ip.com/demo/home.php?s=81
                          Source: RageMP131.exe, 0000001A.00000002.2495191919.00000000030D4000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://db-ip.com/demo/home.php?s=81.181.57.52
                          Source: MPGPH131.exe, 00000008.00000002.2508595887.0000000002F6A000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://db-ip.com/demo/home.php?s=81.181.57.52A
                          Source: dendy.exe, 00000000.00000002.2500954846.0000000002EB5000.00000004.00000020.00020000.00000000.sdmp, dendy.exe, 00000000.00000003.2415846117.0000000002EB5000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://db-ip.com/demo/home.php?s=81.181.57.52dress
                          Source: RageMP131.exe, 0000001A.00000003.2218615210.00000000030D4000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://db-ip.com/~
                          Source: dendy.exe, 00000000.00000002.2500954846.0000000002EB5000.00000004.00000020.00020000.00000000.sdmp, dendy.exe, 00000000.00000003.2415846117.0000000002EB5000.00000004.00000020.00020000.00000000.sdmp, MPGPH131.exe, 00000008.00000002.2508595887.0000000002F92000.00000004.00000020.00020000.00000000.sdmp, MPGPH131.exe, 00000009.00000002.2342275444.0000000002EF2000.00000004.00000020.00020000.00000000.sdmp, MPGPH131.exe, 00000009.00000003.2119466041.0000000002EF2000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://db-ip.com:443/demo/home.php?s=81.181.57.52
                          Source: RageMP131.exe, 0000001A.00000003.2218615210.00000000030D4000.00000004.00000020.00020000.00000000.sdmp, RageMP131.exe, 0000001A.00000002.2495191919.00000000030D4000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://db-ip.com:443/demo/home.php?s=81.181.57.52s
                          Source: dendy.exe, 00000000.00000003.2190337967.00000000079D7000.00000004.00000020.00020000.00000000.sdmp, dendy.exe, 00000000.00000003.2185569564.00000000079BB000.00000004.00000020.00020000.00000000.sdmp, dendy.exe, 00000000.00000003.2186887342.00000000079CE000.00000004.00000020.00020000.00000000.sdmp, MPGPH131.exe, 00000008.00000003.2221361449.00000000079D9000.00000004.00000020.00020000.00000000.sdmp, MPGPH131.exe, 00000008.00000003.2217856798.00000000079A9000.00000004.00000020.00020000.00000000.sdmp, MPGPH131.exe, 00000008.00000003.2219324558.00000000079C9000.00000004.00000020.00020000.00000000.sdmp, MPGPH131.exe, 00000009.00000003.2208409406.0000000007866000.00000004.00000020.00020000.00000000.sdmp, MPGPH131.exe, 00000009.00000003.2210859373.0000000007883000.00000004.00000020.00020000.00000000.sdmp, MPGPH131.exe, 00000009.00000003.2207337910.0000000007843000.00000004.00000020.00020000.00000000.sdmp, RageMP131.exe, 0000001A.00000003.2254070104.00000000079A8000.00000004.00000020.00020000.00000000.sdmp, RageMP131.exe, 0000001A.00000003.2256092823.0000000007996000.00000004.00000020.00020000.00000000.sdmp, RageMP131.exe, 0000001A.00000003.2253005024.0000000007977000.00000004.00000020.00020000.00000000.sdmp, FDWjNP4RsRAAWeb Data.9.dr, xjqD6LmmUXwRWeb Data.26.dr, jivh3ZMPe0AVWeb Data.0.dr, UilUp13UfaxJWeb Data.0.dr, o47QYaSXnflcWeb Data.9.dr, 0SUQ0f15JMK7Web Data.26.dr, wUqBSbUei7PhWeb Data.0.dr, 2l02O9W1_FhwWeb Data.9.dr, NuTl_5zQHhB1Web Data.26.drString found in binary or memory: https://duckduckgo.com/ac/?q=
                          Source: dendy.exe, 00000000.00000003.2190337967.00000000079D7000.00000004.00000020.00020000.00000000.sdmp, dendy.exe, 00000000.00000003.2185569564.00000000079BB000.00000004.00000020.00020000.00000000.sdmp, dendy.exe, 00000000.00000003.2186887342.00000000079CE000.00000004.00000020.00020000.00000000.sdmp, MPGPH131.exe, 00000008.00000003.2221361449.00000000079D9000.00000004.00000020.00020000.00000000.sdmp, MPGPH131.exe, 00000008.00000003.2217856798.00000000079A9000.00000004.00000020.00020000.00000000.sdmp, MPGPH131.exe, 00000008.00000003.2219324558.00000000079C9000.00000004.00000020.00020000.00000000.sdmp, MPGPH131.exe, 00000009.00000003.2208409406.0000000007866000.00000004.00000020.00020000.00000000.sdmp, MPGPH131.exe, 00000009.00000003.2210859373.0000000007883000.00000004.00000020.00020000.00000000.sdmp, MPGPH131.exe, 00000009.00000003.2207337910.0000000007843000.00000004.00000020.00020000.00000000.sdmp, RageMP131.exe, 0000001A.00000003.2254070104.00000000079A8000.00000004.00000020.00020000.00000000.sdmp, RageMP131.exe, 0000001A.00000003.2256092823.0000000007996000.00000004.00000020.00020000.00000000.sdmp, RageMP131.exe, 0000001A.00000003.2253005024.0000000007977000.00000004.00000020.00020000.00000000.sdmp, FDWjNP4RsRAAWeb Data.9.dr, xjqD6LmmUXwRWeb Data.26.dr, jivh3ZMPe0AVWeb Data.0.dr, UilUp13UfaxJWeb Data.0.dr, o47QYaSXnflcWeb Data.9.dr, 0SUQ0f15JMK7Web Data.26.dr, wUqBSbUei7PhWeb Data.0.dr, 2l02O9W1_FhwWeb Data.9.dr, NuTl_5zQHhB1Web Data.26.drString found in binary or memory: https://duckduckgo.com/chrome_newtab
                          Source: dendy.exe, 00000000.00000003.2190337967.00000000079D7000.00000004.00000020.00020000.00000000.sdmp, dendy.exe, 00000000.00000003.2185569564.00000000079BB000.00000004.00000020.00020000.00000000.sdmp, dendy.exe, 00000000.00000003.2186887342.00000000079CE000.00000004.00000020.00020000.00000000.sdmp, MPGPH131.exe, 00000008.00000003.2221361449.00000000079D9000.00000004.00000020.00020000.00000000.sdmp, MPGPH131.exe, 00000008.00000003.2217856798.00000000079A9000.00000004.00000020.00020000.00000000.sdmp, MPGPH131.exe, 00000008.00000003.2219324558.00000000079C9000.00000004.00000020.00020000.00000000.sdmp, MPGPH131.exe, 00000009.00000003.2208409406.0000000007866000.00000004.00000020.00020000.00000000.sdmp, MPGPH131.exe, 00000009.00000003.2210859373.0000000007883000.00000004.00000020.00020000.00000000.sdmp, MPGPH131.exe, 00000009.00000003.2207337910.0000000007843000.00000004.00000020.00020000.00000000.sdmp, RageMP131.exe, 0000001A.00000003.2254070104.00000000079A8000.00000004.00000020.00020000.00000000.sdmp, RageMP131.exe, 0000001A.00000003.2256092823.0000000007996000.00000004.00000020.00020000.00000000.sdmp, RageMP131.exe, 0000001A.00000003.2253005024.0000000007977000.00000004.00000020.00020000.00000000.sdmp, FDWjNP4RsRAAWeb Data.9.dr, xjqD6LmmUXwRWeb Data.26.dr, jivh3ZMPe0AVWeb Data.0.dr, UilUp13UfaxJWeb Data.0.dr, o47QYaSXnflcWeb Data.9.dr, 0SUQ0f15JMK7Web Data.26.dr, wUqBSbUei7PhWeb Data.0.dr, 2l02O9W1_FhwWeb Data.9.dr, NuTl_5zQHhB1Web Data.26.drString found in binary or memory: https://duckduckgo.com/favicon.icohttps://duckduckgo.com/?q=
                          Source: RageMP131.exe, 0000001A.00000002.2495191919.00000000030D4000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://ipinfo.io/
                          Source: dendy.exe, 00000000.00000002.2500954846.0000000002EAE000.00000004.00000020.00020000.00000000.sdmp, dendy.exe, 00000000.00000003.2415846117.0000000002EAD000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://ipinfo.io/4
                          Source: RageMP131.exe, 0000001A.00000002.2495191919.000000000308F000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://ipinfo.io/8
                          Source: dendy.exe, 00000000.00000002.2500954846.0000000002EB5000.00000004.00000020.00020000.00000000.sdmp, dendy.exe, 00000000.00000003.2415846117.0000000002EB5000.00000004.00000020.00020000.00000000.sdmp, MPGPH131.exe, 00000008.00000002.2508595887.0000000002F86000.00000004.00000020.00020000.00000000.sdmp, MPGPH131.exe, 00000009.00000002.2342275444.0000000002EDA000.00000004.00000020.00020000.00000000.sdmp, MPGPH131.exe, 00000009.00000003.2119466041.0000000002EE1000.00000004.00000020.00020000.00000000.sdmp, RageMP131.exe, 0000001A.00000003.2218615210.00000000030D4000.00000004.00000020.00020000.00000000.sdmp, RageMP131.exe, 0000001A.00000002.2495191919.00000000030D4000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://ipinfo.io/Mozilla/5.0
                          Source: MPGPH131.exe, 00000008.00000002.2508595887.0000000002F7D000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://ipinfo.io/X
                          Source: dendy.exe, 00000000.00000002.2501387878.0000000004A80000.00000040.00001000.00020000.00000000.sdmp, dendy.exe, 00000000.00000002.2499170949.0000000000400000.00000040.00000001.01000000.00000003.sdmp, dendy.exe, 00000000.00000003.1719048251.0000000004BD0000.00000004.00001000.00020000.00000000.sdmp, MPGPH131.exe, 00000008.00000002.2510035968.0000000004A60000.00000040.00001000.00020000.00000000.sdmp, MPGPH131.exe, 00000008.00000003.1754038237.0000000004BB0000.00000004.00001000.00020000.00000000.sdmp, MPGPH131.exe, 00000008.00000002.2506460203.0000000000400000.00000040.00000001.01000000.00000005.sdmp, MPGPH131.exe, 00000009.00000002.2340303087.0000000000400000.00000040.00000001.01000000.00000005.sdmp, MPGPH131.exe, 00000009.00000003.1754837586.0000000004BC0000.00000004.00001000.00020000.00000000.sdmp, MPGPH131.exe, 00000009.00000002.2343384935.0000000004A70000.00000040.00001000.00020000.00000000.sdmp, RageMP131.exe, 0000001A.00000002.2495613605.0000000004A40000.00000040.00001000.00020000.00000000.sdmp, RageMP131.exe, 0000001A.00000002.2493907103.0000000000400000.00000040.00000001.01000000.00000006.sdmp, RageMP131.exe, 0000001A.00000003.1896337586.0000000004B90000.00000004.00001000.00020000.00000000.sdmpString found in binary or memory: https://ipinfo.io/https://www.maxmind.com/en/locate-my-ip-addressWs2_32.dll
                          Source: MPGPH131.exe, 00000008.00000002.2508595887.0000000002F57000.00000004.00000020.00020000.00000000.sdmp, MPGPH131.exe, 00000009.00000002.2342275444.0000000002EDA000.00000004.00000020.00020000.00000000.sdmp, MPGPH131.exe, 00000009.00000002.2342275444.0000000002EB0000.00000004.00000020.00020000.00000000.sdmp, RageMP131.exe, 0000001A.00000002.2495191919.00000000030A9000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://ipinfo.io/widget/demo/81.181.57.52
                          Source: RageMP131.exe, 0000001A.00000003.2218615210.00000000030D4000.00000004.00000020.00020000.00000000.sdmp, RageMP131.exe, 0000001A.00000002.2495191919.00000000030D4000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://ipinfo.io/widget/demo/81.181.57.52F
                          Source: dendy.exe, 00000000.00000002.2500536171.0000000002E8A000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://ipinfo.io/widget/demo/81.181.57.52l
                          Source: MPGPH131.exe, 00000009.00000002.2342275444.0000000002E9D000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://ipinfo.io/x
                          Source: dendy.exe, 00000000.00000002.2500954846.0000000002EB5000.00000004.00000020.00020000.00000000.sdmp, dendy.exe, 00000000.00000003.2415846117.0000000002EB5000.00000004.00000020.00020000.00000000.sdmp, MPGPH131.exe, 00000008.00000002.2508595887.0000000002F86000.00000004.00000020.00020000.00000000.sdmp, MPGPH131.exe, 00000009.00000002.2342275444.0000000002EDA000.00000004.00000020.00020000.00000000.sdmp, RageMP131.exe, 0000001A.00000003.2218615210.00000000030D4000.00000004.00000020.00020000.00000000.sdmp, RageMP131.exe, 0000001A.00000002.2495191919.00000000030D4000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://ipinfo.io:443/widget/demo/81.181.57.52
                          Source: D87fZN3R3jFeplaces.sqlite.9.drString found in binary or memory: https://support.mozilla.org
                          Source: D87fZN3R3jFeplaces.sqlite.9.drString found in binary or memory: https://support.mozilla.org/kb/customize-firefox-controls-buttons-and-toolbars?utm_source=firefox-br
                          Source: D87fZN3R3jFeplaces.sqlite.9.drString found in binary or memory: https://support.mozilla.org/products/firefoxgro.allizom.troppus.zvXrErQ5GYDF
                          Source: dendy.exe, 00000000.00000003.2186305953.00000000079AD000.00000004.00000020.00020000.00000000.sdmp, MPGPH131.exe, 00000008.00000003.2218273477.00000000079B8000.00000004.00000020.00020000.00000000.sdmp, MPGPH131.exe, 00000009.00000003.2210121788.0000000007862000.00000004.00000020.00020000.00000000.sdmp, RageMP131.exe, 0000001A.00000003.2253627094.0000000007986000.00000004.00000020.00020000.00000000.sdmp, RageMP131.exe, 0000001A.00000003.2255795866.0000000007985000.00000004.00000020.00020000.00000000.sdmp, xLkPmPbriQeYHistory.26.dr, hn0rI1Di9iTsHistory.0.dr, GrE_iBTQJdDJHistory.26.dr, fNgu77Rnk80sHistory.9.dr, 7QP8D56XEcyNHistory.9.dr, 9kIPQpaY4rvVHistory.0.drString found in binary or memory: https://support.office.com/article/7D48285B-20E8-4B9B-91AD-216E34163BAD?wt.mc_id=EnterPK2016
                          Source: xLkPmPbriQeYHistory.26.dr, hn0rI1Di9iTsHistory.0.dr, GrE_iBTQJdDJHistory.26.dr, fNgu77Rnk80sHistory.9.dr, 7QP8D56XEcyNHistory.9.dr, 9kIPQpaY4rvVHistory.0.drString found in binary or memory: https://support.office.com/article/7D48285B-20E8-4B9B-91AD-216E34163BAD?wt.mc_id=EnterPK2016Examples
                          Source: dendy.exe, 00000000.00000003.2186305953.00000000079AD000.00000004.00000020.00020000.00000000.sdmp, MPGPH131.exe, 00000008.00000003.2218273477.00000000079B8000.00000004.00000020.00020000.00000000.sdmp, MPGPH131.exe, 00000009.00000003.2210121788.0000000007862000.00000004.00000020.00020000.00000000.sdmp, RageMP131.exe, 0000001A.00000003.2253627094.0000000007986000.00000004.00000020.00020000.00000000.sdmp, RageMP131.exe, 0000001A.00000003.2255795866.0000000007985000.00000004.00000020.00020000.00000000.sdmp, xLkPmPbriQeYHistory.26.dr, hn0rI1Di9iTsHistory.0.dr, GrE_iBTQJdDJHistory.26.dr, fNgu77Rnk80sHistory.9.dr, 7QP8D56XEcyNHistory.9.dr, 9kIPQpaY4rvVHistory.0.drString found in binary or memory: https://support.office.com/article/94ba2e0b-638e-4a92-8857-2cb5ac1d8e17
                          Source: xLkPmPbriQeYHistory.26.dr, hn0rI1Di9iTsHistory.0.dr, GrE_iBTQJdDJHistory.26.dr, fNgu77Rnk80sHistory.9.dr, 7QP8D56XEcyNHistory.9.dr, 9kIPQpaY4rvVHistory.0.drString found in binary or memory: https://support.office.com/article/94ba2e0b-638e-4a92-8857-2cb5ac1d8e17Install
                          Source: dendy.exe, 00000000.00000002.2501929485.0000000007984000.00000004.00000020.00020000.00000000.sdmp, dendy.exe, 00000000.00000003.2415493241.0000000007984000.00000004.00000020.00020000.00000000.sdmp, dendy.exe, 00000000.00000002.2502097335.000000000799A000.00000004.00000020.00020000.00000000.sdmp, dendy.exe, 00000000.00000003.2415760901.0000000007999000.00000004.00000020.00020000.00000000.sdmp, dendy.exe, 00000000.00000003.2415493241.0000000007995000.00000004.00000020.00020000.00000000.sdmp, dendy.exe, 00000000.00000002.2500536171.0000000002E3E000.00000004.00000020.00020000.00000000.sdmp, MPGPH131.exe, 00000008.00000002.2510972800.0000000007981000.00000004.00000020.00020000.00000000.sdmp, MPGPH131.exe, 00000008.00000002.2508595887.0000000002F0E000.00000004.00000020.00020000.00000000.sdmp, MPGPH131.exe, 00000009.00000002.2342275444.0000000002E68000.00000004.00000020.00020000.00000000.sdmp, MPGPH131.exe, 00000009.00000002.2343911888.00000000077F0000.00000004.00000020.00020000.00000000.sdmp, RageMP131.exe, 0000001A.00000002.2495191919.000000000305E000.00000004.00000020.00020000.00000000.sdmp, RageMP131.exe, 0000001A.00000002.2496030568.0000000007920000.00000004.00000020.00020000.00000000.sdmp, c9bTQaLpRNBVsUoe4pkuQMW.zip.26.dr, 6XWWeAeVicQTZ7HrJgfaAa9.zip.0.dr, 7SoGIg_Dgh61RYTHw6zemBp.zip.9.drString found in binary or memory: https://t.me/RiseProSUPPORT
                          Source: dendy.exe, 00000000.00000002.2502097335.000000000799A000.00000004.00000020.00020000.00000000.sdmp, dendy.exe, 00000000.00000003.2415760901.0000000007999000.00000004.00000020.00020000.00000000.sdmp, dendy.exe, 00000000.00000003.2415493241.0000000007995000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://t.me/RiseProSUPPORT117.0.2045.47
                          Source: RageMP131.exe, 0000001A.00000002.2496030568.0000000007920000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://t.me/RiseProSUPPORTIva
                          Source: RageMP131.exe, 0000001A.00000002.2496030568.0000000007920000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://t.me/RiseProSUPPORTOU~
                          Source: dendy.exe, 00000000.00000002.2501929485.0000000007984000.00000004.00000020.00020000.00000000.sdmp, dendy.exe, 00000000.00000003.2415493241.0000000007984000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://t.me/RiseProSUPPORTV
                          Source: RageMP131.exe, 0000001A.00000002.2495191919.000000000305E000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://t.me/RiseProSUPPORTn
                          Source: MPGPH131.exe, 00000008.00000002.2510972800.0000000007981000.00000004.00000020.00020000.00000000.sdmp, MPGPH131.exe, 00000009.00000002.2343911888.00000000077F0000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://t.me/RiseProSUPPORTq
                          Source: RageMP131.exe, 0000001A.00000002.2495191919.00000000030D4000.00000004.00000020.00020000.00000000.sdmp, RageMP131.exe, 0000001A.00000003.2218615210.000000000312B000.00000004.00000020.00020000.00000000.sdmp, passwords.txt.9.dr, passwords.txt.0.dr, passwords.txt.26.drString found in binary or memory: https://t.me/risepro_bot
                          Source: MPGPH131.exe, 00000008.00000002.2508595887.0000000002F92000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://t.me/risepro_bot1.181.57.52
                          Source: dendy.exe, 00000000.00000002.2500954846.0000000002EB5000.00000004.00000020.00020000.00000000.sdmp, dendy.exe, 00000000.00000003.2415846117.0000000002EB5000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://t.me/risepro_botDA
                          Source: RageMP131.exe, 0000001A.00000003.2218615210.00000000030D4000.00000004.00000020.00020000.00000000.sdmp, RageMP131.exe, 0000001A.00000002.2495191919.00000000030D4000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://t.me/risepro_botlateraQ
                          Source: dendy.exe, 00000000.00000002.2500954846.0000000002EB5000.00000004.00000020.00020000.00000000.sdmp, dendy.exe, 00000000.00000003.2415846117.0000000002EB5000.00000004.00000020.00020000.00000000.sdmp, MPGPH131.exe, 00000009.00000002.2342275444.0000000002EF2000.00000004.00000020.00020000.00000000.sdmp, MPGPH131.exe, 00000009.00000003.2119466041.0000000002EF2000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://t.me/risepro_botomania
                          Source: dendy.exe, 00000000.00000002.2500954846.0000000002EB5000.00000004.00000020.00020000.00000000.sdmp, dendy.exe, 00000000.00000003.2415846117.0000000002EB5000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://t.me/risepro_botrA
                          Source: MPGPH131.exe, 00000008.00000002.2508595887.0000000002F92000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://t.me/risepro_botrisepro
                          Source: MPGPH131.exe, 00000008.00000002.2508595887.0000000002F92000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://t.me/risepro_bottl;
                          Source: dendy.exe, 00000000.00000003.2190337967.00000000079D7000.00000004.00000020.00020000.00000000.sdmp, dendy.exe, 00000000.00000003.2185569564.00000000079BB000.00000004.00000020.00020000.00000000.sdmp, dendy.exe, 00000000.00000003.2186887342.00000000079CE000.00000004.00000020.00020000.00000000.sdmp, MPGPH131.exe, 00000008.00000003.2221361449.00000000079D9000.00000004.00000020.00020000.00000000.sdmp, MPGPH131.exe, 00000008.00000003.2217856798.00000000079A9000.00000004.00000020.00020000.00000000.sdmp, MPGPH131.exe, 00000008.00000003.2219324558.00000000079C9000.00000004.00000020.00020000.00000000.sdmp, MPGPH131.exe, 00000009.00000003.2208409406.0000000007866000.00000004.00000020.00020000.00000000.sdmp, MPGPH131.exe, 00000009.00000003.2210859373.0000000007883000.00000004.00000020.00020000.00000000.sdmp, MPGPH131.exe, 00000009.00000003.2207337910.0000000007843000.00000004.00000020.00020000.00000000.sdmp, RageMP131.exe, 0000001A.00000003.2254070104.00000000079A8000.00000004.00000020.00020000.00000000.sdmp, RageMP131.exe, 0000001A.00000003.2256092823.0000000007996000.00000004.00000020.00020000.00000000.sdmp, RageMP131.exe, 0000001A.00000003.2253005024.0000000007977000.00000004.00000020.00020000.00000000.sdmp, FDWjNP4RsRAAWeb Data.9.dr, xjqD6LmmUXwRWeb Data.26.dr, jivh3ZMPe0AVWeb Data.0.dr, UilUp13UfaxJWeb Data.0.dr, o47QYaSXnflcWeb Data.9.dr, 0SUQ0f15JMK7Web Data.26.dr, wUqBSbUei7PhWeb Data.0.dr, 2l02O9W1_FhwWeb Data.9.dr, NuTl_5zQHhB1Web Data.26.drString found in binary or memory: https://www.ecosia.org/newtab/
                          Source: dendy.exe, 00000000.00000003.2190337967.00000000079D7000.00000004.00000020.00020000.00000000.sdmp, dendy.exe, 00000000.00000003.2185569564.00000000079BB000.00000004.00000020.00020000.00000000.sdmp, dendy.exe, 00000000.00000003.2186887342.00000000079CE000.00000004.00000020.00020000.00000000.sdmp, MPGPH131.exe, 00000008.00000003.2221361449.00000000079D9000.00000004.00000020.00020000.00000000.sdmp, MPGPH131.exe, 00000008.00000003.2217856798.00000000079A9000.00000004.00000020.00020000.00000000.sdmp, MPGPH131.exe, 00000008.00000003.2219324558.00000000079C9000.00000004.00000020.00020000.00000000.sdmp, MPGPH131.exe, 00000009.00000003.2208409406.0000000007866000.00000004.00000020.00020000.00000000.sdmp, MPGPH131.exe, 00000009.00000003.2210859373.0000000007883000.00000004.00000020.00020000.00000000.sdmp, MPGPH131.exe, 00000009.00000003.2207337910.0000000007843000.00000004.00000020.00020000.00000000.sdmp, RageMP131.exe, 0000001A.00000003.2254070104.00000000079A8000.00000004.00000020.00020000.00000000.sdmp, RageMP131.exe, 0000001A.00000003.2256092823.0000000007996000.00000004.00000020.00020000.00000000.sdmp, RageMP131.exe, 0000001A.00000003.2253005024.0000000007977000.00000004.00000020.00020000.00000000.sdmp, FDWjNP4RsRAAWeb Data.9.dr, xjqD6LmmUXwRWeb Data.26.dr, jivh3ZMPe0AVWeb Data.0.dr, UilUp13UfaxJWeb Data.0.dr, o47QYaSXnflcWeb Data.9.dr, 0SUQ0f15JMK7Web Data.26.dr, wUqBSbUei7PhWeb Data.0.dr, 2l02O9W1_FhwWeb Data.9.dr, NuTl_5zQHhB1Web Data.26.drString found in binary or memory: https://www.google.com/images/branding/product/ico/googleg_lodp.ico
                          Source: dendy.exe, MPGPH131.exeString found in binary or memory: https://www.maxmind.com/en/locate-my-ip-address
                          Source: D87fZN3R3jFeplaces.sqlite.9.drString found in binary or memory: https://www.mozilla.org
                          Source: D87fZN3R3jFeplaces.sqlite.9.drString found in binary or memory: https://www.mozilla.org/about/gro.allizom.www.VsJpOAWrHqB2
                          Source: D87fZN3R3jFeplaces.sqlite.9.drString found in binary or memory: https://www.mozilla.org/contribute/gro.allizom.www.n0g9CLHwD9nR
                          Source: dendy.exe, 00000000.00000002.2500954846.0000000002EB5000.00000004.00000020.00020000.00000000.sdmp, dendy.exe, 00000000.00000003.2415846117.0000000002EB5000.00000004.00000020.00020000.00000000.sdmp, MPGPH131.exe, 00000008.00000002.2508595887.0000000002F92000.00000004.00000020.00020000.00000000.sdmp, MPGPH131.exe, 00000008.00000002.2510972800.0000000007967000.00000004.00000020.00020000.00000000.sdmp, MPGPH131.exe, 00000009.00000002.2342275444.0000000002EF2000.00000004.00000020.00020000.00000000.sdmp, RageMP131.exe, 0000001A.00000002.2496030568.0000000007967000.00000004.00000020.00020000.00000000.sdmp, RageMP131.exe, 0000001A.00000002.2495191919.00000000030D4000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://www.mozilla.org/en-US/privacy/firefox/
                          Source: dendy.exe, 00000000.00000002.2501929485.0000000007984000.00000004.00000020.00020000.00000000.sdmp, dendy.exe, 00000000.00000003.2415493241.0000000007984000.00000004.00000020.00020000.00000000.sdmp, MPGPH131.exe, 00000008.00000002.2510972800.0000000007981000.00000004.00000020.00020000.00000000.sdmp, MPGPH131.exe, 00000009.00000002.2343911888.000000000782A000.00000004.00000020.00020000.00000000.sdmp, MPGPH131.exe, 00000009.00000003.2207118365.000000000782A000.00000004.00000020.00020000.00000000.sdmp, MPGPH131.exe, 00000009.00000003.2210034289.000000000782A000.00000004.00000020.00020000.00000000.sdmp, MPGPH131.exe, 00000009.00000003.2210806911.000000000782A000.00000004.00000020.00020000.00000000.sdmp, RageMP131.exe, 0000001A.00000002.2496030568.000000000795F000.00000004.00000020.00020000.00000000.sdmp, D87fZN3R3jFeplaces.sqlite.26.dr, 3b6N2Xdh3CYwplaces.sqlite.9.dr, 3b6N2Xdh3CYwplaces.sqlite.26.dr, 3b6N2Xdh3CYwplaces.sqlite.0.dr, D87fZN3R3jFeplaces.sqlite.0.dr, D87fZN3R3jFeplaces.sqlite.9.drString found in binary or memory: https://www.mozilla.org/en-US/privacy/firefox/Firefox
                          Source: MPGPH131.exe, 00000009.00000002.2342275444.0000000002EF2000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://www.mozilla.org/en-US/privacy/firefox/f
                          Source: D87fZN3R3jFeplaces.sqlite.9.drString found in binary or memory: https://www.mozilla.org/firefox/?utm_medium=firefox-desktop&utm_source=bookmarks-toolbar&utm_campaig
                          Source: dendy.exe, 00000000.00000002.2501929485.0000000007968000.00000004.00000020.00020000.00000000.sdmp, dendy.exe, 00000000.00000002.2500954846.0000000002EB5000.00000004.00000020.00020000.00000000.sdmp, dendy.exe, 00000000.00000003.2415846117.0000000002EB5000.00000004.00000020.00020000.00000000.sdmp, MPGPH131.exe, 00000008.00000002.2508595887.0000000002F92000.00000004.00000020.00020000.00000000.sdmp, MPGPH131.exe, 00000009.00000002.2342275444.0000000002EF2000.00000004.00000020.00020000.00000000.sdmp, RageMP131.exe, 0000001A.00000002.2496030568.0000000007967000.00000004.00000020.00020000.00000000.sdmp, RageMP131.exe, 0000001A.00000002.2495191919.00000000030D4000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://www.mozilla.org/privacy/firefox/
                          Source: dendy.exe, 00000000.00000002.2500954846.0000000002EB5000.00000004.00000020.00020000.00000000.sdmp, dendy.exe, 00000000.00000003.2415846117.0000000002EB5000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://www.mozilla.org/privacy/firefox/ATCH
                          Source: RageMP131.exe, 0000001A.00000002.2496030568.0000000007967000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://www.mozilla.org/privacy/firefox/e.dat
                          Source: dendy.exe, 00000000.00000002.2501929485.0000000007968000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://www.mozilla.org/privacy/firefox/esktop
                          Source: dendy.exe, 00000000.00000002.2501929485.0000000007984000.00000004.00000020.00020000.00000000.sdmp, dendy.exe, 00000000.00000003.2415493241.0000000007984000.00000004.00000020.00020000.00000000.sdmp, MPGPH131.exe, 00000008.00000002.2510972800.0000000007981000.00000004.00000020.00020000.00000000.sdmp, MPGPH131.exe, 00000009.00000002.2343911888.000000000782A000.00000004.00000020.00020000.00000000.sdmp, MPGPH131.exe, 00000009.00000003.2207118365.000000000782A000.00000004.00000020.00020000.00000000.sdmp, MPGPH131.exe, 00000009.00000003.2210034289.000000000782A000.00000004.00000020.00020000.00000000.sdmp, MPGPH131.exe, 00000009.00000003.2210806911.000000000782A000.00000004.00000020.00020000.00000000.sdmp, RageMP131.exe, 0000001A.00000002.2496030568.000000000795F000.00000004.00000020.00020000.00000000.sdmp, D87fZN3R3jFeplaces.sqlite.26.dr, 3b6N2Xdh3CYwplaces.sqlite.9.dr, 3b6N2Xdh3CYwplaces.sqlite.26.dr, 3b6N2Xdh3CYwplaces.sqlite.0.dr, D87fZN3R3jFeplaces.sqlite.0.dr, D87fZN3R3jFeplaces.sqlite.9.drString found in binary or memory: https://www.mozilla.org/privacy/firefox/gro.allizom.www.
                          Source: MPGPH131.exe, 00000009.00000002.2342275444.0000000002EF2000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://www.mozilla.org/privacy/firefox/ragon
                          Source: MPGPH131.exe, 00000009.00000002.2342275444.0000000002EF2000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://www.mozilla.org/privacy/firefox/refoxo
                          Source: unknownNetwork traffic detected: HTTP traffic on port 49733 -> 443
                          Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49733
                          Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49744
                          Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49743
                          Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49741
                          Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49740
                          Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49750
                          Source: unknownNetwork traffic detected: HTTP traffic on port 49741 -> 443
                          Source: unknownNetwork traffic detected: HTTP traffic on port 49740 -> 443
                          Source: unknownNetwork traffic detected: HTTP traffic on port 49748 -> 443
                          Source: unknownNetwork traffic detected: HTTP traffic on port 49743 -> 443
                          Source: unknownNetwork traffic detected: HTTP traffic on port 49749 -> 443
                          Source: unknownNetwork traffic detected: HTTP traffic on port 49747 -> 443
                          Source: unknownNetwork traffic detected: HTTP traffic on port 49744 -> 443
                          Source: unknownNetwork traffic detected: HTTP traffic on port 49750 -> 443
                          Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49749
                          Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49748
                          Source: unknownNetwork traffic detected: HTTP traffic on port 49735 -> 443
                          Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49747
                          Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49735
                          Source: unknownHTTPS traffic detected: 34.117.186.192:443 -> 192.168.2.4:49733 version: TLS 1.2
                          Source: unknownHTTPS traffic detected: 104.26.5.15:443 -> 192.168.2.4:49735 version: TLS 1.2
                          Source: unknownHTTPS traffic detected: 34.117.186.192:443 -> 192.168.2.4:49740 version: TLS 1.2
                          Source: unknownHTTPS traffic detected: 34.117.186.192:443 -> 192.168.2.4:49741 version: TLS 1.2
                          Source: unknownHTTPS traffic detected: 104.26.5.15:443 -> 192.168.2.4:49743 version: TLS 1.2
                          Source: unknownHTTPS traffic detected: 104.26.5.15:443 -> 192.168.2.4:49744 version: TLS 1.2
                          Source: unknownHTTPS traffic detected: 34.117.186.192:443 -> 192.168.2.4:49747 version: TLS 1.2
                          Source: unknownHTTPS traffic detected: 34.117.186.192:443 -> 192.168.2.4:49748 version: TLS 1.2
                          Source: unknownHTTPS traffic detected: 104.26.5.15:443 -> 192.168.2.4:49749 version: TLS 1.2
                          Source: unknownHTTPS traffic detected: 104.26.5.15:443 -> 192.168.2.4:49750 version: TLS 1.2
                          Source: C:\ProgramData\MPGPH131\MPGPH131.exeCode function: 8_2_0040BAC0 GdiplusStartup,GetSystemMetrics,GetSystemMetrics,GetSystemMetrics,GetDC,CreateCompatibleDC,CreateCompatibleBitmap,SelectObject,BitBlt,GdipCreateBitmapFromHBITMAP,GdipGetImageEncodersSize,GdipGetImageEncoders,GdipSaveImageToFile,DeleteObject,GdipDisposeImage,DeleteObject,ReleaseDC,GdiplusShutdown,8_2_0040BAC0

                          System Summary

                          barindex
                          Malicious sample detected (through community Yara rule)
                          Source: 0000001A.00000002.2495000425.0000000002DAA000.00000040.00000020.00020000.00000000.sdmp, type: MEMORYMatched rule: Windows_Trojan_RedLineStealer_ed346e4c Author: unknown
                          Source: 00000009.00000002.2343201454.0000000002F6D000.00000040.00000020.00020000.00000000.sdmp, type: MEMORYMatched rule: Windows_Trojan_RedLineStealer_ed346e4c Author: unknown
                          Source: 00000008.00000002.2508449882.0000000002E39000.00000040.00000020.00020000.00000000.sdmp, type: MEMORYMatched rule: Windows_Trojan_RedLineStealer_ed346e4c Author: unknown
                          Source: 0000001A.00000002.2495613605.0000000004A40000.00000040.00001000.00020000.00000000.sdmp, type: MEMORYMatched rule: Windows_Trojan_Smokeloader_3687686f Author: unknown
                          Source: 00000008.00000002.2510035968.0000000004A60000.00000040.00001000.00020000.00000000.sdmp, type: MEMORYMatched rule: Windows_Trojan_Smokeloader_3687686f Author: unknown
                          Source: 00000000.00000002.2501230299.000000000300C000.00000040.00000020.00020000.00000000.sdmp, type: MEMORYMatched rule: Windows_Trojan_RedLineStealer_ed346e4c Author: unknown
                          Source: 00000000.00000002.2501387878.0000000004A80000.00000040.00001000.00020000.00000000.sdmp, type: MEMORYMatched rule: Windows_Trojan_Smokeloader_3687686f Author: unknown
                          Source: 00000009.00000002.2343384935.0000000004A70000.00000040.00001000.00020000.00000000.sdmp, type: MEMORYMatched rule: Windows_Trojan_Smokeloader_3687686f Author: unknown
                          Source: C:\Users\user\Desktop\dendy.exeCode function: 0_2_004460200_2_00446020
                          Source: C:\Users\user\Desktop\dendy.exeCode function: 0_2_004281800_2_00428180
                          Source: C:\Users\user\Desktop\dendy.exeCode function: 0_2_004964500_2_00496450
                          Source: C:\Users\user\Desktop\dendy.exeCode function: 0_2_004064300_2_00406430
                          Source: C:\Users\user\Desktop\dendy.exeCode function: 0_2_004224D90_2_004224D9
                          Source: C:\Users\user\Desktop\dendy.exeCode function: 0_2_0040C4900_2_0040C490
                          Source: C:\Users\user\Desktop\dendy.exeCode function: 0_2_0045A4900_2_0045A490
                          Source: C:\Users\user\Desktop\dendy.exeCode function: 0_2_004564A00_2_004564A0
                          Source: C:\Users\user\Desktop\dendy.exeCode function: 0_2_0048C5600_2_0048C560
                          Source: C:\Users\user\Desktop\dendy.exeCode function: 0_2_004585200_2_00458520
                          Source: C:\Users\user\Desktop\dendy.exeCode function: 0_2_004387700_2_00438770
                          Source: C:\Users\user\Desktop\dendy.exeCode function: 0_2_004247300_2_00424730
                          Source: C:\Users\user\Desktop\dendy.exeCode function: 0_2_0040E7B00_2_0040E7B0
                          Source: C:\Users\user\Desktop\dendy.exeCode function: 0_2_0043C8000_2_0043C800
                          Source: C:\Users\user\Desktop\dendy.exeCode function: 0_2_0044A8F00_2_0044A8F0
                          Source: C:\Users\user\Desktop\dendy.exeCode function: 0_2_004429400_2_00442940
                          Source: C:\Users\user\Desktop\dendy.exeCode function: 0_2_0042C9800_2_0042C980
                          Source: C:\Users\user\Desktop\dendy.exeCode function: 0_2_0043CA900_2_0043CA90
                          Source: C:\Users\user\Desktop\dendy.exeCode function: 0_2_0045EA9C0_2_0045EA9C
                          Source: C:\Users\user\Desktop\dendy.exeCode function: 0_2_00434B200_2_00434B20
                          Source: C:\Users\user\Desktop\dendy.exeCode function: 0_2_0042EB900_2_0042EB90
                          Source: C:\Users\user\Desktop\dendy.exeCode function: 0_2_0045CC400_2_0045CC40
                          Source: C:\Users\user\Desktop\dendy.exeCode function: 0_2_00440C100_2_00440C10
                          Source: C:\Users\user\Desktop\dendy.exeCode function: 0_2_0040CD500_2_0040CD50
                          Source: C:\Users\user\Desktop\dendy.exeCode function: 0_2_004E925D0_2_004E925D
                          Source: C:\Users\user\Desktop\dendy.exeCode function: 0_2_0048D2500_2_0048D250
                          Source: C:\Users\user\Desktop\dendy.exeCode function: 0_2_004CB3C00_2_004CB3C0
                          Source: C:\Users\user\Desktop\dendy.exeCode function: 0_2_004314300_2_00431430
                          Source: C:\Users\user\Desktop\dendy.exeCode function: 0_2_0045B4B00_2_0045B4B0
                          Source: C:\Users\user\Desktop\dendy.exeCode function: 0_2_0043B65D0_2_0043B65D
                          Source: C:\Users\user\Desktop\dendy.exeCode function: 0_2_004236700_2_00423670
                          Source: C:\Users\user\Desktop\dendy.exeCode function: 0_2_0042B6700_2_0042B670
                          Source: C:\Users\user\Desktop\dendy.exeCode function: 0_2_004176B00_2_004176B0
                          Source: C:\Users\user\Desktop\dendy.exeCode function: 0_2_0043B7500_2_0043B750
                          Source: C:\Users\user\Desktop\dendy.exeCode function: 0_2_004378A00_2_004378A0
                          Source: C:\Users\user\Desktop\dendy.exeCode function: 0_2_00431BE00_2_00431BE0
                          Source: C:\Users\user\Desktop\dendy.exeCode function: 0_2_0045DDE50_2_0045DDE5
                          Source: C:\Users\user\Desktop\dendy.exeCode function: 0_2_0041FF090_2_0041FF09
                          Source: C:\Users\user\Desktop\dendy.exeCode function: 0_2_0040BFC00_2_0040BFC0
                          Source: C:\Users\user\Desktop\dendy.exeCode function: 0_2_0048BFB00_2_0048BFB0
                          Source: C:\Users\user\Desktop\dendy.exeCode function: 0_2_0048E0400_2_0048E040
                          Source: C:\Users\user\Desktop\dendy.exeCode function: 0_2_0044C1600_2_0044C160
                          Source: C:\Users\user\Desktop\dendy.exeCode function: 0_2_0049A1600_2_0049A160
                          Source: C:\Users\user\Desktop\dendy.exeCode function: 0_2_004901000_2_00490100
                          Source: C:\Users\user\Desktop\dendy.exeCode function: 0_2_004D02E00_2_004D02E0
                          Source: C:\Users\user\Desktop\dendy.exeCode function: 0_2_004202AA0_2_004202AA
                          Source: C:\Users\user\Desktop\dendy.exeCode function: 0_2_0048E35B0_2_0048E35B
                          Source: C:\Users\user\Desktop\dendy.exeCode function: 0_2_004223600_2_00422360
                          Source: C:\Users\user\Desktop\dendy.exeCode function: 0_2_004D43100_2_004D4310
                          Source: C:\Users\user\Desktop\dendy.exeCode function: 0_2_004E03D00_2_004E03D0
                          Source: C:\Users\user\Desktop\dendy.exeCode function: 0_2_004024100_2_00402410
                          Source: C:\Users\user\Desktop\dendy.exeCode function: 0_2_004944E00_2_004944E0
                          Source: C:\Users\user\Desktop\dendy.exeCode function: 0_2_004164900_2_00416490
                          Source: C:\Users\user\Desktop\dendy.exeCode function: 0_2_004026000_2_00402600
                          Source: C:\Users\user\Desktop\dendy.exeCode function: 0_2_004846200_2_00484620
                          Source: C:\Users\user\Desktop\dendy.exeCode function: 0_2_004228520_2_00422852
                          Source: C:\Users\user\Desktop\dendy.exeCode function: 0_2_004908600_2_00490860
                          Source: C:\ProgramData\MPGPH131\MPGPH131.exeCode function: 8_2_004460208_2_00446020
                          Source: C:\ProgramData\MPGPH131\MPGPH131.exeCode function: 8_2_004281808_2_00428180
                          Source: C:\ProgramData\MPGPH131\MPGPH131.exeCode function: 8_2_004964508_2_00496450
                          Source: C:\ProgramData\MPGPH131\MPGPH131.exeCode function: 8_2_004064308_2_00406430
                          Source: C:\ProgramData\MPGPH131\MPGPH131.exeCode function: 8_2_004224D98_2_004224D9
                          Source: C:\ProgramData\MPGPH131\MPGPH131.exeCode function: 8_2_0040C4908_2_0040C490
                          Source: C:\ProgramData\MPGPH131\MPGPH131.exeCode function: 8_2_0045A4908_2_0045A490
                          Source: C:\ProgramData\MPGPH131\MPGPH131.exeCode function: 8_2_004564A08_2_004564A0
                          Source: C:\ProgramData\MPGPH131\MPGPH131.exeCode function: 8_2_0048C5608_2_0048C560
                          Source: C:\ProgramData\MPGPH131\MPGPH131.exeCode function: 8_2_004585208_2_00458520
                          Source: C:\ProgramData\MPGPH131\MPGPH131.exeCode function: 8_2_004387708_2_00438770
                          Source: C:\ProgramData\MPGPH131\MPGPH131.exeCode function: 8_2_004247308_2_00424730
                          Source: C:\ProgramData\MPGPH131\MPGPH131.exeCode function: 8_2_0040E7B08_2_0040E7B0
                          Source: C:\ProgramData\MPGPH131\MPGPH131.exeCode function: 8_2_0043C8008_2_0043C800
                          Source: C:\ProgramData\MPGPH131\MPGPH131.exeCode function: 8_2_0044A8F08_2_0044A8F0
                          Source: C:\ProgramData\MPGPH131\MPGPH131.exeCode function: 8_2_004429408_2_00442940
                          Source: C:\ProgramData\MPGPH131\MPGPH131.exeCode function: 8_2_0042C9808_2_0042C980
                          Source: C:\ProgramData\MPGPH131\MPGPH131.exeCode function: 8_2_0043CA908_2_0043CA90
                          Source: C:\ProgramData\MPGPH131\MPGPH131.exeCode function: 8_2_0045EA9C8_2_0045EA9C
                          Source: C:\ProgramData\MPGPH131\MPGPH131.exeCode function: 8_2_00434B208_2_00434B20
                          Source: C:\ProgramData\MPGPH131\MPGPH131.exeCode function: 8_2_0042EB908_2_0042EB90
                          Source: C:\ProgramData\MPGPH131\MPGPH131.exeCode function: 8_2_0045CC408_2_0045CC40
                          Source: C:\ProgramData\MPGPH131\MPGPH131.exeCode function: 8_2_00440C108_2_00440C10
                          Source: C:\ProgramData\MPGPH131\MPGPH131.exeCode function: 8_2_0040CD508_2_0040CD50
                          Source: C:\ProgramData\MPGPH131\MPGPH131.exeCode function: 8_2_004E925D8_2_004E925D
                          Source: C:\ProgramData\MPGPH131\MPGPH131.exeCode function: 8_2_0048D2508_2_0048D250
                          Source: C:\ProgramData\MPGPH131\MPGPH131.exeCode function: 8_2_004CB3C08_2_004CB3C0
                          Source: C:\ProgramData\MPGPH131\MPGPH131.exeCode function: 8_2_004314308_2_00431430
                          Source: C:\ProgramData\MPGPH131\MPGPH131.exeCode function: 8_2_0045B4B08_2_0045B4B0
                          Source: C:\ProgramData\MPGPH131\MPGPH131.exeCode function: 8_2_0043B65D8_2_0043B65D
                          Source: C:\ProgramData\MPGPH131\MPGPH131.exeCode function: 8_2_004236708_2_00423670
                          Source: C:\ProgramData\MPGPH131\MPGPH131.exeCode function: 8_2_0042B6708_2_0042B670
                          Source: C:\ProgramData\MPGPH131\MPGPH131.exeCode function: 8_2_004176B08_2_004176B0
                          Source: C:\ProgramData\MPGPH131\MPGPH131.exeCode function: 8_2_0043B7508_2_0043B750
                          Source: C:\ProgramData\MPGPH131\MPGPH131.exeCode function: 8_2_004B58708_2_004B5870
                          Source: C:\ProgramData\MPGPH131\MPGPH131.exeCode function: 8_2_004378A08_2_004378A0
                          Source: C:\ProgramData\MPGPH131\MPGPH131.exeCode function: 8_2_00431BE08_2_00431BE0
                          Source: C:\ProgramData\MPGPH131\MPGPH131.exeCode function: 8_2_0045DDE58_2_0045DDE5
                          Source: C:\ProgramData\MPGPH131\MPGPH131.exeCode function: 8_2_0041FF098_2_0041FF09
                          Source: C:\ProgramData\MPGPH131\MPGPH131.exeCode function: 8_2_0040BFC08_2_0040BFC0
                          Source: C:\ProgramData\MPGPH131\MPGPH131.exeCode function: 8_2_0048BFB08_2_0048BFB0
                          Source: C:\ProgramData\MPGPH131\MPGPH131.exeCode function: 8_2_0048E0408_2_0048E040
                          Source: C:\ProgramData\MPGPH131\MPGPH131.exeCode function: 8_2_0044C1608_2_0044C160
                          Source: C:\ProgramData\MPGPH131\MPGPH131.exeCode function: 8_2_0049A1608_2_0049A160
                          Source: C:\ProgramData\MPGPH131\MPGPH131.exeCode function: 8_2_004901008_2_00490100
                          Source: C:\ProgramData\MPGPH131\MPGPH131.exeCode function: 8_2_004D02E08_2_004D02E0
                          Source: C:\ProgramData\MPGPH131\MPGPH131.exeCode function: 8_2_004202AA8_2_004202AA
                          Source: C:\ProgramData\MPGPH131\MPGPH131.exeCode function: 8_2_0048E35B8_2_0048E35B
                          Source: C:\ProgramData\MPGPH131\MPGPH131.exeCode function: 8_2_004223608_2_00422360
                          Source: C:\ProgramData\MPGPH131\MPGPH131.exeCode function: 8_2_004D43108_2_004D4310
                          Source: C:\ProgramData\MPGPH131\MPGPH131.exeCode function: 8_2_004E03D08_2_004E03D0
                          Source: C:\ProgramData\MPGPH131\MPGPH131.exeCode function: 8_2_004024108_2_00402410
                          Source: C:\ProgramData\MPGPH131\MPGPH131.exeCode function: 8_2_004944E08_2_004944E0
                          Source: C:\ProgramData\MPGPH131\MPGPH131.exeCode function: 8_2_004164908_2_00416490
                          Source: C:\ProgramData\MPGPH131\MPGPH131.exeCode function: 8_2_004026008_2_00402600
                          Source: C:\ProgramData\MPGPH131\MPGPH131.exeCode function: 8_2_004846208_2_00484620
                          Source: C:\ProgramData\MPGPH131\MPGPH131.exeCode function: 8_2_004228528_2_00422852
                          Source: C:\ProgramData\MPGPH131\MPGPH131.exeCode function: 8_2_004908608_2_00490860
                          Source: C:\ProgramData\MPGPH131\MPGPH131.exeCode function: 8_2_0043EAEB8_2_0043EAEB
                          Source: C:\ProgramData\MPGPH131\MPGPH131.exeCode function: 8_2_004D2A908_2_004D2A90
                          Source: C:\ProgramData\MPGPH131\MPGPH131.exeCode function: 8_2_00486AA08_2_00486AA0
                          Source: C:\ProgramData\MPGPH131\MPGPH131.exeCode function: 8_2_004D0B308_2_004D0B30
                          Source: C:\ProgramData\MPGPH131\MPGPH131.exeCode function: 8_2_0044EB908_2_0044EB90
                          Source: C:\ProgramData\MPGPH131\MPGPH131.exeCode function: 8_2_004F6CC58_2_004F6CC5
                          Source: C:\ProgramData\MPGPH131\MPGPH131.exeCode function: 8_2_0048ECA28_2_0048ECA2
                          Source: C:\ProgramData\MPGPH131\MPGPH131.exeCode function: 8_2_0048CD808_2_0048CD80
                          Source: C:\ProgramData\MPGPH131\MPGPH131.exeCode function: 8_2_00490E408_2_00490E40
                          Source: C:\ProgramData\MPGPH131\MPGPH131.exeCode function: 8_2_0049EE708_2_0049EE70
                          Source: C:\ProgramData\MPGPH131\MPGPH131.exeCode function: 8_2_0049AE208_2_0049AE20
                          Source: C:\ProgramData\MPGPH131\MPGPH131.exeCode function: 8_2_00414ED08_2_00414ED0
                          Source: C:\ProgramData\MPGPH131\MPGPH131.exeCode function: 8_2_00418EE08_2_00418EE0
                          Source: C:\ProgramData\MPGPH131\MPGPH131.exeCode function: 8_2_00482FE08_2_00482FE0
                          Source: C:\ProgramData\MPGPH131\MPGPH131.exeCode function: 8_2_00440FF58_2_00440FF5
                          Source: C:\ProgramData\MPGPH131\MPGPH131.exeCode function: 8_2_0048D0208_2_0048D020
                          Source: C:\ProgramData\MPGPH131\MPGPH131.exeCode function: 8_2_004CD0808_2_004CD080
                          Source: C:\ProgramData\MPGPH131\MPGPH131.exeCode function: 8_2_004872708_2_00487270
                          Source: C:\ProgramData\MPGPH131\MPGPH131.exeCode function: 8_2_0047F3608_2_0047F360
                          Source: C:\ProgramData\MPGPH131\MPGPH131.exeCode function: 8_2_004834708_2_00483470
                          Source: C:\ProgramData\MPGPH131\MPGPH131.exeCode function: 8_2_0048B4F08_2_0048B4F0
                          Source: C:\ProgramData\MPGPH131\MPGPH131.exeCode function: 8_2_004E959F8_2_004E959F
                          Source: C:\ProgramData\MPGPH131\MPGPH131.exeCode function: 8_2_004A36EE8_2_004A36EE
                          Source: C:\ProgramData\MPGPH131\MPGPH131.exeCode function: 8_2_004337408_2_00433740
                          Source: C:\ProgramData\MPGPH131\MPGPH131.exeCode function: 8_2_004897208_2_00489720
                          Source: C:\ProgramData\MPGPH131\MPGPH131.exeCode function: 8_2_004497D08_2_004497D0
                          Source: C:\ProgramData\MPGPH131\MPGPH131.exeCode function: 8_2_0048F7B08_2_0048F7B0
                          Source: C:\ProgramData\MPGPH131\MPGPH131.exeCode function: 8_2_004019008_2_00401900
                          Source: C:\ProgramData\MPGPH131\MPGPH131.exeCode function: 8_2_004BB9E08_2_004BB9E0
                          Source: C:\ProgramData\MPGPH131\MPGPH131.exeCode function: 8_2_004FD9FE8_2_004FD9FE
                          Source: C:\ProgramData\MPGPH131\MPGPH131.exeCode function: 8_2_004099A08_2_004099A0
                          Source: C:\ProgramData\MPGPH131\MPGPH131.exeCode function: 8_2_00481A308_2_00481A30
                          Source: C:\ProgramData\MPGPH131\MPGPH131.exeCode function: 8_2_004E3B588_2_004E3B58
                          Source: C:\ProgramData\MPGPH131\MPGPH131.exeCode function: 8_2_004E5B908_2_004E5B90
                          Source: C:\ProgramData\MPGPH131\MPGPH131.exeCode function: 8_2_0048BC008_2_0048BC00
                          Source: C:\ProgramData\MPGPH131\MPGPH131.exeCode function: 8_2_00409D908_2_00409D90
                          Source: C:\ProgramData\MPGPH131\MPGPH131.exeCode function: 8_2_004D1E508_2_004D1E50
                          Source: C:\ProgramData\MPGPH131\MPGPH131.exeCode function: 8_2_00483EF08_2_00483EF0
                          Source: C:\ProgramData\MPGPH131\MPGPH131.exeCode function: 8_2_0043FF408_2_0043FF40
                          Source: C:\ProgramData\MPGPH131\MPGPH131.exeCode function: 8_2_0043FF138_2_0043FF13
                          Source: C:\ProgramData\MPGPH131\MPGPH131.exeCode function: 8_2_00485FD08_2_00485FD0
                          Source: C:\ProgramData\MPGPH131\MPGPH131.exeCode function: 8_2_00493FF08_2_00493FF0
                          Source: C:\ProgramData\MPGPH131\MPGPH131.exeCode function: 8_2_04B494C48_2_04B494C4
                          Source: C:\Users\user\Desktop\dendy.exeCode function: String function: 0048FE50 appears 35 times
                          Source: C:\Users\user\Desktop\dendy.exeCode function: String function: 00469F00 appears 46 times
                          Source: C:\ProgramData\MPGPH131\MPGPH131.exeCode function: String function: 004DD5B0 appears 54 times
                          Source: C:\ProgramData\MPGPH131\MPGPH131.exeCode function: String function: 0048FE50 appears 91 times
                          Source: C:\ProgramData\MPGPH131\MPGPH131.exeCode function: String function: 00469F00 appears 58 times
                          Source: C:\Users\user\Desktop\dendy.exeProcess created: C:\Windows\SysWOW64\WerFault.exe C:\Windows\SysWOW64\WerFault.exe -u -p 7028 -s 868
                          Source: dendy.exeBinary or memory string: OriginalFilename vs dendy.exe
                          Source: dendy.exe, 00000000.00000002.2501387878.0000000004A80000.00000040.00001000.00020000.00000000.sdmpBinary or memory string: OriginalFilenamefilezilla.exe4 vs dendy.exe
                          Source: dendy.exe, 00000000.00000002.2499170949.0000000000400000.00000040.00000001.01000000.00000003.sdmpBinary or memory string: OriginalFilenamefilezilla.exe4 vs dendy.exe
                          Source: dendy.exe, 00000000.00000003.1719048251.0000000004BD0000.00000004.00001000.00020000.00000000.sdmpBinary or memory string: OriginalFilenamefilezilla.exe4 vs dendy.exe
                          Source: dendy.exeStatic PE information: RELOCS_STRIPPED, EXECUTABLE_IMAGE, 32BIT_MACHINE
                          Source: 0000001A.00000002.2495000425.0000000002DAA000.00000040.00000020.00020000.00000000.sdmp, type: MEMORYMatched rule: Windows_Trojan_RedLineStealer_ed346e4c reference_sample = a91c1d3965f11509d1c1125210166b824a79650f29ea203983fffb5f8900858c, os = windows, severity = x86, creation_date = 2022-02-17, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.RedLineStealer, fingerprint = 834c13b2e0497787e552bb1318664496d286e7cf57b4661e5e07bf1cffe61b82, id = ed346e4c-7890-41ee-8648-f512682fe20e, last_modified = 2022-04-12
                          Source: 00000009.00000002.2343201454.0000000002F6D000.00000040.00000020.00020000.00000000.sdmp, type: MEMORYMatched rule: Windows_Trojan_RedLineStealer_ed346e4c reference_sample = a91c1d3965f11509d1c1125210166b824a79650f29ea203983fffb5f8900858c, os = windows, severity = x86, creation_date = 2022-02-17, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.RedLineStealer, fingerprint = 834c13b2e0497787e552bb1318664496d286e7cf57b4661e5e07bf1cffe61b82, id = ed346e4c-7890-41ee-8648-f512682fe20e, last_modified = 2022-04-12
                          Source: 00000008.00000002.2508449882.0000000002E39000.00000040.00000020.00020000.00000000.sdmp, type: MEMORYMatched rule: Windows_Trojan_RedLineStealer_ed346e4c reference_sample = a91c1d3965f11509d1c1125210166b824a79650f29ea203983fffb5f8900858c, os = windows, severity = x86, creation_date = 2022-02-17, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.RedLineStealer, fingerprint = 834c13b2e0497787e552bb1318664496d286e7cf57b4661e5e07bf1cffe61b82, id = ed346e4c-7890-41ee-8648-f512682fe20e, last_modified = 2022-04-12
                          Source: 0000001A.00000002.2495613605.0000000004A40000.00000040.00001000.00020000.00000000.sdmp, type: MEMORYMatched rule: Windows_Trojan_Smokeloader_3687686f reference_sample = 8b3014ecd962a335b246f6c70fc820247e8bdaef98136e464b1fdb824031eef7, os = windows, severity = x86, creation_date = 2021-07-21, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Smokeloader, fingerprint = 0f483f9f79ae29b944825c1987366d7b450312f475845e2242a07674580918bc, id = 3687686f-8fbf-4f09-9afa-612ee65dc86c, last_modified = 2021-08-23
                          Source: 00000008.00000002.2510035968.0000000004A60000.00000040.00001000.00020000.00000000.sdmp, type: MEMORYMatched rule: Windows_Trojan_Smokeloader_3687686f reference_sample = 8b3014ecd962a335b246f6c70fc820247e8bdaef98136e464b1fdb824031eef7, os = windows, severity = x86, creation_date = 2021-07-21, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Smokeloader, fingerprint = 0f483f9f79ae29b944825c1987366d7b450312f475845e2242a07674580918bc, id = 3687686f-8fbf-4f09-9afa-612ee65dc86c, last_modified = 2021-08-23
                          Source: 00000000.00000002.2501230299.000000000300C000.00000040.00000020.00020000.00000000.sdmp, type: MEMORYMatched rule: Windows_Trojan_RedLineStealer_ed346e4c reference_sample = a91c1d3965f11509d1c1125210166b824a79650f29ea203983fffb5f8900858c, os = windows, severity = x86, creation_date = 2022-02-17, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.RedLineStealer, fingerprint = 834c13b2e0497787e552bb1318664496d286e7cf57b4661e5e07bf1cffe61b82, id = ed346e4c-7890-41ee-8648-f512682fe20e, last_modified = 2022-04-12
                          Source: 00000000.00000002.2501387878.0000000004A80000.00000040.00001000.00020000.00000000.sdmp, type: MEMORYMatched rule: Windows_Trojan_Smokeloader_3687686f reference_sample = 8b3014ecd962a335b246f6c70fc820247e8bdaef98136e464b1fdb824031eef7, os = windows, severity = x86, creation_date = 2021-07-21, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Smokeloader, fingerprint = 0f483f9f79ae29b944825c1987366d7b450312f475845e2242a07674580918bc, id = 3687686f-8fbf-4f09-9afa-612ee65dc86c, last_modified = 2021-08-23
                          Source: 00000009.00000002.2343384935.0000000004A70000.00000040.00001000.00020000.00000000.sdmp, type: MEMORYMatched rule: Windows_Trojan_Smokeloader_3687686f reference_sample = 8b3014ecd962a335b246f6c70fc820247e8bdaef98136e464b1fdb824031eef7, os = windows, severity = x86, creation_date = 2021-07-21, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Smokeloader, fingerprint = 0f483f9f79ae29b944825c1987366d7b450312f475845e2242a07674580918bc, id = 3687686f-8fbf-4f09-9afa-612ee65dc86c, last_modified = 2021-08-23
                          Source: classification engineClassification label: mal100.troj.spyw.evad.winEXE@24/129@2/3
                          Source: C:\Users\user\Desktop\dendy.exeCode function: 0_2_00492300 GetLastError,GetVersionExA,FormatMessageW,LocalFree,FormatMessageA,0_2_00492300
                          Source: C:\Users\user\Desktop\dendy.exeCode function: 0_2_00491D10 CreateFileW,CreateFileA,GetDiskFreeSpaceW,GetDiskFreeSpaceA,0_2_00491D10
                          Source: C:\Users\user\Desktop\dendy.exeCode function: 0_2_0040CD50 RegOpenKeyExA,RegQueryValueExA,RegCloseKey,GetCurrentHwProfileA,GetModuleHandleExA,GetModuleFileNameA,RegOpenKeyExA,RegQueryValueExA,RegCloseKey,GetComputerNameA,GetUserNameA,GetDesktopWindow,GetWindowRect,GetUserDefaultLocaleName,GetKeyboardLayoutList,GetKeyboardLayoutList,LocalAlloc,GetKeyboardLayoutList,GetLocaleInfoA,LocalFree,GetLocalTime,GetSystemTime,GetTimeZoneInformation,TzSpecificLocalTimeToSystemTime,RegOpenKeyExA,RegQueryValueExA,RegCloseKey,GetSystemInfo,GlobalMemoryStatusEx,EnumDisplayDevicesA,EnumDisplayDevicesA,CreateToolhelp32Snapshot,Process32First,Process32Next,Process32Next,CloseHandle,RegOpenKeyExA,RegEnumKeyExA,wsprintfA,RegOpenKeyExA,RegQueryValueExA,RegQueryValueExA,RegCloseKey,RegCloseKey,0_2_0040CD50
                          Source: C:\Users\user\Desktop\dendy.exeCode function: 0_2_00446020 CopyFileA,RegOpenKeyExA,RegSetValueExA,RegCloseKey,CopyFileA,GetUserNameA,CopyFileA,SHGetFolderPathA,CoInitialize,CoCreateInstance,MultiByteToWideChar,CoUninitialize,ShellExecuteA,0_2_00446020
                          Source: C:\Users\user\Desktop\dendy.exeFile created: C:\Users\user\AppData\Local\RageMP131Jump to behavior
                          Source: C:\Windows\System32\conhost.exeMutant created: \Sessions\1\BaseNamedObjects\Local\SM0:3748:120:WilError_03
                          Source: C:\Windows\SysWOW64\WerFault.exeMutant created: \Sessions\1\BaseNamedObjects\Local\WERReportingForProcess5164
                          Source: C:\Windows\SysWOW64\WerFault.exeMutant created: \Sessions\1\BaseNamedObjects\Local\WERReportingForProcess7028
                          Source: C:\Windows\SysWOW64\WerFault.exeMutant created: \Sessions\1\BaseNamedObjects\Local\WERReportingForProcess6688
                          Source: C:\Windows\SysWOW64\WerFault.exeMutant created: \Sessions\1\BaseNamedObjects\Local\WERReportingForProcess6996
                          Source: C:\Windows\System32\conhost.exeMutant created: \Sessions\1\BaseNamedObjects\Local\SM0:6332:120:WilError_03
                          Source: C:\Users\user\Desktop\dendy.exeFile created: C:\Users\user\AppData\Local\Temp\rage131MP.tmpJump to behavior
                          Source: dendy.exeStatic PE information: Section: .text IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ
                          Source: C:\Users\user\Desktop\dendy.exeFile read: C:\Users\user\AppData\Roaming\Mozilla\Firefox\profiles.iniJump to behavior
                          Source: C:\Users\user\Desktop\dendy.exeKey opened: HKEY_CURRENT_USER\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiersJump to behavior
                          Source: dendy.exe, dendy.exe, 00000000.00000002.2501387878.0000000004A80000.00000040.00001000.00020000.00000000.sdmp, dendy.exe, 00000000.00000002.2499170949.0000000000400000.00000040.00000001.01000000.00000003.sdmp, dendy.exe, 00000000.00000003.1719048251.0000000004BD0000.00000004.00001000.00020000.00000000.sdmp, MPGPH131.exe, MPGPH131.exe, 00000008.00000002.2510035968.0000000004A60000.00000040.00001000.00020000.00000000.sdmp, MPGPH131.exe, 00000008.00000003.1754038237.0000000004BB0000.00000004.00001000.00020000.00000000.sdmp, MPGPH131.exe, 00000008.00000002.2506460203.0000000000400000.00000040.00000001.01000000.00000005.sdmp, MPGPH131.exe, 00000009.00000002.2340303087.0000000000400000.00000040.00000001.01000000.00000005.sdmp, MPGPH131.exe, 00000009.00000003.1754837586.0000000004BC0000.00000004.00001000.00020000.00000000.sdmp, MPGPH131.exe, 00000009.00000002.2343384935.0000000004A70000.00000040.00001000.00020000.00000000.sdmp, RageMP131.exe, 0000001A.00000002.2495613605.0000000004A40000.00000040.00001000.00020000.00000000.sdmpBinary or memory string: INSERT INTO %Q.%s VALUES('index',%Q,%Q,#%d,%Q);
                          Source: dendy.exe, 00000000.00000002.2501387878.0000000004A80000.00000040.00001000.00020000.00000000.sdmp, dendy.exe, 00000000.00000002.2499170949.0000000000400000.00000040.00000001.01000000.00000003.sdmp, dendy.exe, 00000000.00000003.1719048251.0000000004BD0000.00000004.00001000.00020000.00000000.sdmp, MPGPH131.exe, 00000008.00000002.2510035968.0000000004A60000.00000040.00001000.00020000.00000000.sdmp, MPGPH131.exe, 00000008.00000003.1754038237.0000000004BB0000.00000004.00001000.00020000.00000000.sdmp, MPGPH131.exe, 00000008.00000002.2506460203.0000000000400000.00000040.00000001.01000000.00000005.sdmp, MPGPH131.exe, 00000009.00000002.2340303087.0000000000400000.00000040.00000001.01000000.00000005.sdmp, MPGPH131.exe, 00000009.00000003.1754837586.0000000004BC0000.00000004.00001000.00020000.00000000.sdmp, MPGPH131.exe, 00000009.00000002.2343384935.0000000004A70000.00000040.00001000.00020000.00000000.sdmp, RageMP131.exe, 0000001A.00000002.2495613605.0000000004A40000.00000040.00001000.00020000.00000000.sdmp, RageMP131.exe, 0000001A.00000002.2493907103.0000000000400000.00000040.00000001.01000000.00000006.sdmpBinary or memory string: UPDATE %Q.%s SET sql = sqlite_rename_table(sql, %Q), tbl_name = %Q, name = CASE WHEN type='table' THEN %Q WHEN name LIKE 'sqlite_autoindex%%' AND type='index' THEN 'sqlite_autoindex_' || %Q || substr(name,%d+18) ELSE name END WHERE tbl_name=%Q AND (type='table' OR type='index' OR type='trigger');
                          Source: MPGPH131.exe, 00000008.00000003.2219788988.0000000007992000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: CREATE TABLE autofill_sync_metadata (model_typ;
                          Source: MPGPH131.exe, 00000008.00000003.2217856798.00000000079AF000.00000004.00000020.00020000.00000000.sdmp, MPGPH131.exe, 00000008.00000003.2217789940.0000000007992000.00000004.00000020.00020000.00000000.sdmp, MPGPH131.exe, 00000008.00000003.2217503233.0000000007992000.00000004.00000020.00020000.00000000.sdmp, MPGPH131.exe, 00000009.00000003.2207246038.000000000782C000.00000004.00000020.00020000.00000000.sdmp, MPGPH131.exe, 00000009.00000003.2206986632.000000000782C000.00000004.00000020.00020000.00000000.sdmp, RageMP131.exe, 0000001A.00000003.2252440203.000000000313C000.00000004.00000020.00020000.00000000.sdmp, RageMP131.exe, 0000001A.00000003.2252918330.000000000313C000.00000004.00000020.00020000.00000000.sdmp, 6xQrR_hJnX90Login Data For Account.26.dr, q4newEXeW0gGLogin Data For Account.0.dr, BYnglavidnY6Login Data.9.dr, s5KTHH5Pma1BLogin Data For Account.9.dr, nF96X0gSy0TrLogin Data.0.dr, fd7hv5c9m7PWLogin Data.26.drBinary or memory string: CREATE TABLE password_notes (id INTEGER PRIMARY KEY AUTOINCREMENT, parent_id INTEGER NOT NULL REFERENCES logins ON UPDATE CASCADE ON DELETE CASCADE DEFERRABLE INITIALLY DEFERRED, key VARCHAR NOT NULL, value BLOB, date_created INTEGER NOT NULL, confidential INTEGER, UNIQUE (parent_id, key));
                          Source: dendy.exeReversingLabs: Detection: 82%
                          Source: dendy.exeVirustotal: Detection: 71%
                          Source: dendy.exeString found in binary or memory: https://www.maxmind.com/en/locate-my-ip-address
                          Source: MPGPH131.exeString found in binary or memory: https://www.maxmind.com/en/locate-my-ip-address
                          Source: C:\Users\user\Desktop\dendy.exeFile read: C:\Users\user\Desktop\dendy.exeJump to behavior
                          Source: unknownProcess created: C:\Users\user\Desktop\dendy.exe "C:\Users\user\Desktop\dendy.exe"
                          Source: C:\Users\user\Desktop\dendy.exeProcess created: C:\Windows\SysWOW64\schtasks.exe schtasks /create /f /RU "user" /tr "C:\ProgramData\MPGPH131\MPGPH131.exe" /tn "MPGPH131 HR" /sc HOURLY /rl HIGHEST
                          Source: C:\Windows\SysWOW64\schtasks.exeProcess created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                          Source: C:\Users\user\Desktop\dendy.exeProcess created: C:\Windows\SysWOW64\schtasks.exe schtasks /create /f /RU "user" /tr "C:\ProgramData\MPGPH131\MPGPH131.exe" /tn "MPGPH131 LG" /sc ONLOGON /rl HIGHEST
                          Source: C:\Windows\SysWOW64\schtasks.exeProcess created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                          Source: C:\Users\user\Desktop\dendy.exeProcess created: C:\Windows\SysWOW64\WerFault.exe C:\Windows\SysWOW64\WerFault.exe -u -p 7028 -s 868
                          Source: unknownProcess created: C:\ProgramData\MPGPH131\MPGPH131.exe C:\ProgramData\MPGPH131\MPGPH131.exe
                          Source: unknownProcess created: C:\ProgramData\MPGPH131\MPGPH131.exe C:\ProgramData\MPGPH131\MPGPH131.exe
                          Source: C:\ProgramData\MPGPH131\MPGPH131.exeProcess created: C:\Windows\SysWOW64\WerFault.exe C:\Windows\SysWOW64\WerFault.exe -u -p 6688 -s 804
                          Source: C:\ProgramData\MPGPH131\MPGPH131.exeProcess created: C:\Windows\SysWOW64\WerFault.exe C:\Windows\SysWOW64\WerFault.exe -u -p 6996 -s 780
                          Source: C:\Users\user\Desktop\dendy.exeProcess created: C:\Windows\SysWOW64\WerFault.exe C:\Windows\SysWOW64\WerFault.exe -u -p 7028 -s 952
                          Source: C:\Users\user\Desktop\dendy.exeProcess created: C:\Windows\SysWOW64\WerFault.exe C:\Windows\SysWOW64\WerFault.exe -u -p 7028 -s 960
                          Source: C:\Users\user\Desktop\dendy.exeProcess created: C:\Windows\SysWOW64\WerFault.exe C:\Windows\SysWOW64\WerFault.exe -u -p 7028 -s 960
                          Source: C:\Users\user\Desktop\dendy.exeProcess created: C:\Windows\SysWOW64\WerFault.exe C:\Windows\SysWOW64\WerFault.exe -u -p 7028 -s 960
                          Source: C:\ProgramData\MPGPH131\MPGPH131.exeProcess created: C:\Windows\SysWOW64\WerFault.exe C:\Windows\SysWOW64\WerFault.exe -u -p 6996 -s 892
                          Source: unknownProcess created: C:\Users\user\AppData\Local\RageMP131\RageMP131.exe "C:\Users\user\AppData\Local\RageMP131\RageMP131.exe"
                          Source: C:\Users\user\Desktop\dendy.exeProcess created: C:\Windows\SysWOW64\WerFault.exe C:\Windows\SysWOW64\WerFault.exe -u -p 7028 -s 1464
                          Source: C:\ProgramData\MPGPH131\MPGPH131.exeProcess created: C:\Windows\SysWOW64\WerFault.exe C:\Windows\SysWOW64\WerFault.exe -u -p 6996 -s 924
                          Source: C:\ProgramData\MPGPH131\MPGPH131.exeProcess created: C:\Windows\SysWOW64\WerFault.exe C:\Windows\SysWOW64\WerFault.exe -u -p 6688 -s 964
                          Source: C:\ProgramData\MPGPH131\MPGPH131.exeProcess created: C:\Windows\SysWOW64\WerFault.exe C:\Windows\SysWOW64\WerFault.exe -u -p 6996 -s 884
                          Source: C:\Users\user\Desktop\dendy.exeProcess created: C:\Windows\SysWOW64\WerFault.exe C:\Windows\SysWOW64\WerFault.exe -u -p 7028 -s 1472
                          Source: C:\Users\user\AppData\Local\RageMP131\RageMP131.exeProcess created: C:\Windows\SysWOW64\WerFault.exe C:\Windows\SysWOW64\WerFault.exe -u -p 5164 -s 820
                          Source: C:\Users\user\Desktop\dendy.exeProcess created: C:\Windows\SysWOW64\schtasks.exe schtasks /create /f /RU "user" /tr "C:\ProgramData\MPGPH131\MPGPH131.exe" /tn "MPGPH131 HR" /sc HOURLY /rl HIGHESTJump to behavior
                          Source: C:\Users\user\Desktop\dendy.exeProcess created: C:\Windows\SysWOW64\schtasks.exe schtasks /create /f /RU "user" /tr "C:\ProgramData\MPGPH131\MPGPH131.exe" /tn "MPGPH131 LG" /sc ONLOGON /rl HIGHESTJump to behavior
                          Source: C:\Users\user\Desktop\dendy.exeSection loaded: apphelp.dllJump to behavior
                          Source: C:\Users\user\Desktop\dendy.exeSection loaded: msimg32.dllJump to behavior
                          Source: C:\Users\user\Desktop\dendy.exeSection loaded: rstrtmgr.dllJump to behavior
                          Source: C:\Users\user\Desktop\dendy.exeSection loaded: ncrypt.dllJump to behavior
                          Source: C:\Users\user\Desktop\dendy.exeSection loaded: ntasn1.dllJump to behavior
                          Source: C:\Users\user\Desktop\dendy.exeSection loaded: msvcr100.dllJump to behavior
                          Source: C:\Users\user\Desktop\dendy.exeSection loaded: d3d11.dllJump to behavior
                          Source: C:\Users\user\Desktop\dendy.exeSection loaded: dxgi.dllJump to behavior
                          Source: C:\Users\user\Desktop\dendy.exeSection loaded: resourcepolicyclient.dllJump to behavior
                          Source: C:\Users\user\Desktop\dendy.exeSection loaded: kernel.appcore.dllJump to behavior
                          Source: C:\Users\user\Desktop\dendy.exeSection loaded: d3d10warp.dllJump to behavior
                          Source: C:\Users\user\Desktop\dendy.exeSection loaded: uxtheme.dllJump to behavior
                          Source: C:\Users\user\Desktop\dendy.exeSection loaded: dxcore.dllJump to behavior
                          Source: C:\Users\user\Desktop\dendy.exeSection loaded: sspicli.dllJump to behavior
                          Source: C:\Users\user\Desktop\dendy.exeSection loaded: ntmarta.dllJump to behavior
                          Source: C:\Users\user\Desktop\dendy.exeSection loaded: winhttp.dllJump to behavior
                          Source: C:\Users\user\Desktop\dendy.exeSection loaded: wininet.dllJump to behavior
                          Source: C:\Users\user\Desktop\dendy.exeSection loaded: mswsock.dllJump to behavior
                          Source: C:\Users\user\Desktop\dendy.exeSection loaded: devobj.dllJump to behavior
                          Source: C:\Users\user\Desktop\dendy.exeSection loaded: ondemandconnroutehelper.dllJump to behavior
                          Source: C:\Users\user\Desktop\dendy.exeSection loaded: webio.dllJump to behavior
                          Source: C:\Users\user\Desktop\dendy.exeSection loaded: iphlpapi.dllJump to behavior
                          Source: C:\Users\user\Desktop\dendy.exeSection loaded: winnsi.dllJump to behavior
                          Source: C:\Users\user\Desktop\dendy.exeSection loaded: dnsapi.dllJump to behavior
                          Source: C:\Users\user\Desktop\dendy.exeSection loaded: rasadhlp.dllJump to behavior
                          Source: C:\Users\user\Desktop\dendy.exeSection loaded: fwpuclnt.dllJump to behavior
                          Source: C:\Users\user\Desktop\dendy.exeSection loaded: schannel.dllJump to behavior
                          Source: C:\Users\user\Desktop\dendy.exeSection loaded: mskeyprotect.dllJump to behavior
                          Source: C:\Users\user\Desktop\dendy.exeSection loaded: ncryptsslp.dllJump to behavior
                          Source: C:\Users\user\Desktop\dendy.exeSection loaded: msasn1.dllJump to behavior
                          Source: C:\Users\user\Desktop\dendy.exeSection loaded: cryptsp.dllJump to behavior
                          Source: C:\Users\user\Desktop\dendy.exeSection loaded: rsaenh.dllJump to behavior
                          Source: C:\Users\user\Desktop\dendy.exeSection loaded: cryptbase.dllJump to behavior
                          Source: C:\Users\user\Desktop\dendy.exeSection loaded: gpapi.dllJump to behavior
                          Source: C:\Users\user\Desktop\dendy.exeSection loaded: vaultcli.dllJump to behavior
                          Source: C:\Users\user\Desktop\dendy.exeSection loaded: wintypes.dllJump to behavior
                          Source: C:\Users\user\Desktop\dendy.exeSection loaded: windows.storage.dllJump to behavior
                          Source: C:\Users\user\Desktop\dendy.exeSection loaded: wldp.dllJump to behavior
                          Source: C:\Users\user\Desktop\dendy.exeSection loaded: dpapi.dllJump to behavior
                          Source: C:\Windows\SysWOW64\schtasks.exeSection loaded: kernel.appcore.dllJump to behavior
                          Source: C:\Windows\SysWOW64\schtasks.exeSection loaded: taskschd.dllJump to behavior
                          Source: C:\Windows\SysWOW64\schtasks.exeSection loaded: sspicli.dllJump to behavior
                          Source: C:\Windows\SysWOW64\schtasks.exeSection loaded: xmllite.dllJump to behavior
                          Source: C:\Windows\SysWOW64\schtasks.exeSection loaded: kernel.appcore.dllJump to behavior
                          Source: C:\Windows\SysWOW64\schtasks.exeSection loaded: taskschd.dllJump to behavior
                          Source: C:\Windows\SysWOW64\schtasks.exeSection loaded: sspicli.dllJump to behavior
                          Source: C:\Windows\SysWOW64\schtasks.exeSection loaded: xmllite.dllJump to behavior
                          Source: C:\ProgramData\MPGPH131\MPGPH131.exeSection loaded: apphelp.dllJump to behavior
                          Source: C:\ProgramData\MPGPH131\MPGPH131.exeSection loaded: msimg32.dllJump to behavior
                          Source: C:\ProgramData\MPGPH131\MPGPH131.exeSection loaded: rstrtmgr.dllJump to behavior
                          Source: C:\ProgramData\MPGPH131\MPGPH131.exeSection loaded: ncrypt.dllJump to behavior
                          Source: C:\ProgramData\MPGPH131\MPGPH131.exeSection loaded: ntasn1.dllJump to behavior
                          Source: C:\ProgramData\MPGPH131\MPGPH131.exeSection loaded: msvcr100.dllJump to behavior
                          Source: C:\ProgramData\MPGPH131\MPGPH131.exeSection loaded: d3d11.dllJump to behavior
                          Source: C:\ProgramData\MPGPH131\MPGPH131.exeSection loaded: dxgi.dllJump to behavior
                          Source: C:\ProgramData\MPGPH131\MPGPH131.exeSection loaded: resourcepolicyclient.dllJump to behavior
                          Source: C:\ProgramData\MPGPH131\MPGPH131.exeSection loaded: kernel.appcore.dllJump to behavior
                          Source: C:\ProgramData\MPGPH131\MPGPH131.exeSection loaded: d3d10warp.dllJump to behavior
                          Source: C:\ProgramData\MPGPH131\MPGPH131.exeSection loaded: uxtheme.dllJump to behavior
                          Source: C:\ProgramData\MPGPH131\MPGPH131.exeSection loaded: dxcore.dllJump to behavior
                          Source: C:\ProgramData\MPGPH131\MPGPH131.exeSection loaded: sspicli.dllJump to behavior
                          Source: C:\ProgramData\MPGPH131\MPGPH131.exeSection loaded: winhttp.dllJump to behavior
                          Source: C:\ProgramData\MPGPH131\MPGPH131.exeSection loaded: wininet.dllJump to behavior
                          Source: C:\ProgramData\MPGPH131\MPGPH131.exeSection loaded: mswsock.dllJump to behavior
                          Source: C:\ProgramData\MPGPH131\MPGPH131.exeSection loaded: devobj.dllJump to behavior
                          Source: C:\ProgramData\MPGPH131\MPGPH131.exeSection loaded: ondemandconnroutehelper.dllJump to behavior
                          Source: C:\ProgramData\MPGPH131\MPGPH131.exeSection loaded: webio.dllJump to behavior
                          Source: C:\ProgramData\MPGPH131\MPGPH131.exeSection loaded: iphlpapi.dllJump to behavior
                          Source: C:\ProgramData\MPGPH131\MPGPH131.exeSection loaded: winnsi.dllJump to behavior
                          Source: C:\ProgramData\MPGPH131\MPGPH131.exeSection loaded: dnsapi.dllJump to behavior
                          Source: C:\ProgramData\MPGPH131\MPGPH131.exeSection loaded: fwpuclnt.dllJump to behavior
                          Source: C:\ProgramData\MPGPH131\MPGPH131.exeSection loaded: rasadhlp.dllJump to behavior
                          Source: C:\ProgramData\MPGPH131\MPGPH131.exeSection loaded: schannel.dllJump to behavior
                          Source: C:\ProgramData\MPGPH131\MPGPH131.exeSection loaded: mskeyprotect.dllJump to behavior
                          Source: C:\ProgramData\MPGPH131\MPGPH131.exeSection loaded: ncryptsslp.dllJump to behavior
                          Source: C:\ProgramData\MPGPH131\MPGPH131.exeSection loaded: msasn1.dllJump to behavior
                          Source: C:\ProgramData\MPGPH131\MPGPH131.exeSection loaded: cryptsp.dllJump to behavior
                          Source: C:\ProgramData\MPGPH131\MPGPH131.exeSection loaded: rsaenh.dllJump to behavior
                          Source: C:\ProgramData\MPGPH131\MPGPH131.exeSection loaded: cryptbase.dllJump to behavior
                          Source: C:\ProgramData\MPGPH131\MPGPH131.exeSection loaded: gpapi.dllJump to behavior
                          Source: C:\ProgramData\MPGPH131\MPGPH131.exeSection loaded: vaultcli.dllJump to behavior
                          Source: C:\ProgramData\MPGPH131\MPGPH131.exeSection loaded: wintypes.dllJump to behavior
                          Source: C:\ProgramData\MPGPH131\MPGPH131.exeSection loaded: windows.storage.dllJump to behavior
                          Source: C:\ProgramData\MPGPH131\MPGPH131.exeSection loaded: wldp.dllJump to behavior
                          Source: C:\ProgramData\MPGPH131\MPGPH131.exeSection loaded: ntmarta.dllJump to behavior
                          Source: C:\ProgramData\MPGPH131\MPGPH131.exeSection loaded: dpapi.dllJump to behavior
                          Source: C:\ProgramData\MPGPH131\MPGPH131.exeSection loaded: msimg32.dll
                          Source: C:\ProgramData\MPGPH131\MPGPH131.exeSection loaded: rstrtmgr.dll
                          Source: C:\ProgramData\MPGPH131\MPGPH131.exeSection loaded: ncrypt.dll
                          Source: C:\ProgramData\MPGPH131\MPGPH131.exeSection loaded: ntasn1.dll
                          Source: C:\ProgramData\MPGPH131\MPGPH131.exeSection loaded: msvcr100.dll
                          Source: C:\ProgramData\MPGPH131\MPGPH131.exeSection loaded: d3d11.dll
                          Source: C:\ProgramData\MPGPH131\MPGPH131.exeSection loaded: dxgi.dll
                          Source: C:\ProgramData\MPGPH131\MPGPH131.exeSection loaded: resourcepolicyclient.dll
                          Source: C:\ProgramData\MPGPH131\MPGPH131.exeSection loaded: kernel.appcore.dll
                          Source: C:\ProgramData\MPGPH131\MPGPH131.exeSection loaded: d3d10warp.dll
                          Source: C:\ProgramData\MPGPH131\MPGPH131.exeSection loaded: uxtheme.dll
                          Source: C:\ProgramData\MPGPH131\MPGPH131.exeSection loaded: dxcore.dll
                          Source: C:\ProgramData\MPGPH131\MPGPH131.exeSection loaded: sspicli.dll
                          Source: C:\ProgramData\MPGPH131\MPGPH131.exeSection loaded: winhttp.dll
                          Source: C:\ProgramData\MPGPH131\MPGPH131.exeSection loaded: wininet.dll
                          Source: C:\ProgramData\MPGPH131\MPGPH131.exeSection loaded: mswsock.dll
                          Source: C:\ProgramData\MPGPH131\MPGPH131.exeSection loaded: devobj.dll
                          Source: C:\ProgramData\MPGPH131\MPGPH131.exeSection loaded: ondemandconnroutehelper.dll
                          Source: C:\ProgramData\MPGPH131\MPGPH131.exeSection loaded: webio.dll
                          Source: C:\ProgramData\MPGPH131\MPGPH131.exeSection loaded: iphlpapi.dll
                          Source: C:\ProgramData\MPGPH131\MPGPH131.exeSection loaded: winnsi.dll
                          Source: C:\ProgramData\MPGPH131\MPGPH131.exeSection loaded: dnsapi.dll
                          Source: C:\ProgramData\MPGPH131\MPGPH131.exeSection loaded: rasadhlp.dll
                          Source: C:\ProgramData\MPGPH131\MPGPH131.exeSection loaded: fwpuclnt.dll
                          Source: C:\ProgramData\MPGPH131\MPGPH131.exeSection loaded: schannel.dll
                          Source: C:\ProgramData\MPGPH131\MPGPH131.exeSection loaded: mskeyprotect.dll
                          Source: C:\ProgramData\MPGPH131\MPGPH131.exeSection loaded: ncryptsslp.dll
                          Source: C:\ProgramData\MPGPH131\MPGPH131.exeSection loaded: msasn1.dll
                          Source: C:\ProgramData\MPGPH131\MPGPH131.exeSection loaded: cryptsp.dll
                          Source: C:\ProgramData\MPGPH131\MPGPH131.exeSection loaded: rsaenh.dll
                          Source: C:\ProgramData\MPGPH131\MPGPH131.exeSection loaded: cryptbase.dll
                          Source: C:\ProgramData\MPGPH131\MPGPH131.exeSection loaded: gpapi.dll
                          Source: C:\ProgramData\MPGPH131\MPGPH131.exeSection loaded: vaultcli.dll
                          Source: C:\ProgramData\MPGPH131\MPGPH131.exeSection loaded: wintypes.dll
                          Source: C:\ProgramData\MPGPH131\MPGPH131.exeSection loaded: windows.storage.dll
                          Source: C:\ProgramData\MPGPH131\MPGPH131.exeSection loaded: wldp.dll
                          Source: C:\ProgramData\MPGPH131\MPGPH131.exeSection loaded: ntmarta.dll
                          Source: C:\ProgramData\MPGPH131\MPGPH131.exeSection loaded: dpapi.dll
                          Source: C:\Users\user\AppData\Local\RageMP131\RageMP131.exeSection loaded: apphelp.dll
                          Source: C:\Users\user\AppData\Local\RageMP131\RageMP131.exeSection loaded: msimg32.dll
                          Source: C:\Users\user\AppData\Local\RageMP131\RageMP131.exeSection loaded: rstrtmgr.dll
                          Source: C:\Users\user\AppData\Local\RageMP131\RageMP131.exeSection loaded: ncrypt.dll
                          Source: C:\Users\user\AppData\Local\RageMP131\RageMP131.exeSection loaded: ntasn1.dll
                          Source: C:\Users\user\AppData\Local\RageMP131\RageMP131.exeSection loaded: msvcr100.dll
                          Source: C:\Users\user\AppData\Local\RageMP131\RageMP131.exeSection loaded: d3d11.dll
                          Source: C:\Users\user\AppData\Local\RageMP131\RageMP131.exeSection loaded: dxgi.dll
                          Source: C:\Users\user\AppData\Local\RageMP131\RageMP131.exeSection loaded: resourcepolicyclient.dll
                          Source: C:\Users\user\AppData\Local\RageMP131\RageMP131.exeSection loaded: kernel.appcore.dll
                          Source: C:\Users\user\AppData\Local\RageMP131\RageMP131.exeSection loaded: d3d10warp.dll
                          Source: C:\Users\user\AppData\Local\RageMP131\RageMP131.exeSection loaded: uxtheme.dll
                          Source: C:\Users\user\AppData\Local\RageMP131\RageMP131.exeSection loaded: dxcore.dll
                          Source: C:\Users\user\AppData\Local\RageMP131\RageMP131.exeSection loaded: sspicli.dll
                          Source: C:\Users\user\AppData\Local\RageMP131\RageMP131.exeSection loaded: winhttp.dll
                          Source: C:\Users\user\AppData\Local\RageMP131\RageMP131.exeSection loaded: wininet.dll
                          Source: C:\Users\user\AppData\Local\RageMP131\RageMP131.exeSection loaded: mswsock.dll
                          Source: C:\Users\user\AppData\Local\RageMP131\RageMP131.exeSection loaded: devobj.dll
                          Source: C:\Users\user\AppData\Local\RageMP131\RageMP131.exeSection loaded: ondemandconnroutehelper.dll
                          Source: C:\Users\user\AppData\Local\RageMP131\RageMP131.exeSection loaded: webio.dll
                          Source: C:\Users\user\AppData\Local\RageMP131\RageMP131.exeSection loaded: iphlpapi.dll
                          Source: C:\Users\user\AppData\Local\RageMP131\RageMP131.exeSection loaded: winnsi.dll
                          Source: C:\Users\user\AppData\Local\RageMP131\RageMP131.exeSection loaded: dnsapi.dll
                          Source: C:\Users\user\AppData\Local\RageMP131\RageMP131.exeSection loaded: rasadhlp.dll
                          Source: C:\Users\user\AppData\Local\RageMP131\RageMP131.exeSection loaded: fwpuclnt.dll
                          Source: C:\Users\user\AppData\Local\RageMP131\RageMP131.exeSection loaded: schannel.dll
                          Source: C:\Users\user\AppData\Local\RageMP131\RageMP131.exeSection loaded: mskeyprotect.dll
                          Source: C:\Users\user\AppData\Local\RageMP131\RageMP131.exeSection loaded: ncryptsslp.dll
                          Source: C:\Users\user\AppData\Local\RageMP131\RageMP131.exeSection loaded: msasn1.dll
                          Source: C:\Users\user\AppData\Local\RageMP131\RageMP131.exeSection loaded: cryptsp.dll
                          Source: C:\Users\user\AppData\Local\RageMP131\RageMP131.exeSection loaded: rsaenh.dll
                          Source: C:\Users\user\AppData\Local\RageMP131\RageMP131.exeSection loaded: cryptbase.dll
                          Source: C:\Users\user\AppData\Local\RageMP131\RageMP131.exeSection loaded: gpapi.dll
                          Source: C:\Users\user\AppData\Local\RageMP131\RageMP131.exeSection loaded: vaultcli.dll
                          Source: C:\Users\user\AppData\Local\RageMP131\RageMP131.exeSection loaded: wintypes.dll
                          Source: C:\Users\user\AppData\Local\RageMP131\RageMP131.exeSection loaded: windows.storage.dll
                          Source: C:\Users\user\AppData\Local\RageMP131\RageMP131.exeSection loaded: wldp.dll
                          Source: C:\Users\user\AppData\Local\RageMP131\RageMP131.exeSection loaded: ntmarta.dll
                          Source: C:\Users\user\AppData\Local\RageMP131\RageMP131.exeSection loaded: dpapi.dll
                          Source: Window RecorderWindow detected: More than 3 window changes detected
                          Source: C:\Users\user\Desktop\dendy.exeKey opened: HKEY_CURRENT_USER\Software\Microsoft\Office\15.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676Jump to behavior
                          Source: C:\Users\user\Desktop\dendy.exeFile opened: C:\Windows\SysWOW64\msvcr100.dllJump to behavior

                          Data Obfuscation

                          barindex
                          Detected unpacking (changes PE section rights)
                          Source: C:\Users\user\Desktop\dendy.exeUnpacked PE file: 0.2.dendy.exe.400000.0.unpack .text:ER;.rdata:R;.data:W;.tls:W;.rsrc:R; vs .text:ER;.rdata:R;.data:W;.rsrc:R;.reloc:R;
                          Source: C:\ProgramData\MPGPH131\MPGPH131.exeUnpacked PE file: 8.2.MPGPH131.exe.400000.0.unpack .text:ER;.rdata:R;.data:W;.tls:W;.rsrc:R; vs .text:ER;.rdata:R;.data:W;.rsrc:R;.reloc:R;
                          Source: C:\ProgramData\MPGPH131\MPGPH131.exeUnpacked PE file: 9.2.MPGPH131.exe.400000.0.unpack .text:ER;.rdata:R;.data:W;.tls:W;.rsrc:R; vs .text:ER;.rdata:R;.data:W;.rsrc:R;.reloc:R;
                          Source: C:\Users\user\AppData\Local\RageMP131\RageMP131.exeUnpacked PE file: 26.2.RageMP131.exe.400000.0.unpack .text:ER;.rdata:R;.data:W;.tls:W;.rsrc:R; vs .text:ER;.rdata:R;.data:W;.rsrc:R;.reloc:R;
                          Detected unpacking (overwrites its own PE header)
                          Source: C:\Users\user\Desktop\dendy.exeUnpacked PE file: 0.2.dendy.exe.400000.0.unpack
                          Source: C:\ProgramData\MPGPH131\MPGPH131.exeUnpacked PE file: 8.2.MPGPH131.exe.400000.0.unpack
                          Source: C:\ProgramData\MPGPH131\MPGPH131.exeUnpacked PE file: 9.2.MPGPH131.exe.400000.0.unpack
                          Source: C:\Users\user\AppData\Local\RageMP131\RageMP131.exeUnpacked PE file: 26.2.RageMP131.exe.400000.0.unpack
                          Contains functionality to check for running processes (XOR)
                          Source: C:\ProgramData\MPGPH131\MPGPH131.exeCode function: CreateToolhelp32Snapshot,Process32First,Process32Next,Process32Next,Process32Next,CloseHandle,8_2_00409D90
                          Source: C:\Users\user\Desktop\dendy.exeCode function: 0_2_0045DDE5 LoadLibraryA,GetProcAddress,MessageBoxA,__ehfuncinfo$??2@YAPAXIABUnothrow_t@std@@@Z,GetProcessId,__ehfuncinfo$??2@YAPAXIABUnothrow_t@std@@@Z,SetThreadExecutionState,SetThreadExecutionState,SetThreadExecutionState,0_2_0045DDE5
                          Source: C:\ProgramData\MPGPH131\MPGPH131.exeCode function: 8_2_004C112B push ecx; iretd 8_2_004C112C
                          Source: C:\ProgramData\MPGPH131\MPGPH131.exeCode function: 8_2_004DD189 push ecx; ret 8_2_004DD19C
                          Source: C:\ProgramData\MPGPH131\MPGPH131.exeCode function: 8_2_02E3C17B push ebp; ret 8_2_02E3C181
                          Source: C:\ProgramData\MPGPH131\MPGPH131.exeCode function: 8_2_02E3C536 push esp; ret 8_2_02E3C537
                          Source: C:\ProgramData\MPGPH131\MPGPH131.exeCode function: 8_2_02E3DC08 push cs; ret 8_2_02E3DC09
                          Source: C:\Users\user\Desktop\dendy.exeFile created: C:\Users\user\AppData\Local\RageMP131\RageMP131.exeJump to dropped file
                          Source: C:\Users\user\Desktop\dendy.exeFile created: C:\ProgramData\MPGPH131\MPGPH131.exeJump to dropped file
                          Source: C:\Users\user\Desktop\dendy.exeFile created: C:\ProgramData\MPGPH131\MPGPH131.exeJump to dropped file

                          Boot Survival

                          barindex
                          Uses schtasks.exe or at.exe to add and modify task schedules
                          Source: C:\Users\user\Desktop\dendy.exeProcess created: C:\Windows\SysWOW64\schtasks.exe schtasks /create /f /RU "user" /tr "C:\ProgramData\MPGPH131\MPGPH131.exe" /tn "MPGPH131 HR" /sc HOURLY /rl HIGHEST
                          Source: C:\Users\user\Desktop\dendy.exeRegistry value created or modified: HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run RageMP131Jump to behavior
                          Source: C:\Users\user\Desktop\dendy.exeRegistry value created or modified: HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run RageMP131Jump to behavior
                          Source: C:\ProgramData\MPGPH131\MPGPH131.exeCode function: 8_2_00482FE0 GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,8_2_00482FE0
                          Source: C:\ProgramData\MPGPH131\MPGPH131.exeRegistry key monitored for changes: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRootJump to behavior
                          Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: FAILCRITICALERRORS | NOGPFAULTERRORBOXJump to behavior
                          Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                          Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: FAILCRITICALERRORS | NOGPFAULTERRORBOXJump to behavior
                          Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                          Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: FAILCRITICALERRORS | NOGPFAULTERRORBOXJump to behavior
                          Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                          Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: FAILCRITICALERRORS | NOGPFAULTERRORBOXJump to behavior
                          Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                          Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: FAILCRITICALERRORS | NOGPFAULTERRORBOXJump to behavior
                          Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                          Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                          Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                          Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                          Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                          Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                          Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                          Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                          Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                          Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                          Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                          Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                          Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                          Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                          Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                          Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                          Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                          Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                          Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                          Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                          Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                          Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                          Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                          Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                          Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                          Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                          Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                          Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                          Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                          Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                          Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                          Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                          Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                          Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                          Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                          Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                          Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                          Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                          Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                          Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                          Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                          Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                          Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                          Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                          Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                          Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                          Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                          Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: FAILCRITICALERRORS | NOGPFAULTERRORBOX
                          Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOX
                          Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: FAILCRITICALERRORS | NOGPFAULTERRORBOX
                          Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOX
                          Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: FAILCRITICALERRORS | NOGPFAULTERRORBOX
                          Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOX
                          Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: FAILCRITICALERRORS | NOGPFAULTERRORBOX
                          Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOX
                          Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: FAILCRITICALERRORS | NOGPFAULTERRORBOX
                          Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOX
                          Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOX
                          Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOX
                          Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOX
                          Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOX
                          Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOX
                          Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOX
                          Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOX
                          Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOX
                          Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOX
                          Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOX
                          Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOX
                          Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOX
                          Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOX
                          Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOX
                          Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOX
                          Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOX
                          Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOX
                          Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOX
                          Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOX
                          Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOX
                          Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOX
                          Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOX
                          Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOX
                          Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOX
                          Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOX
                          Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOX
                          Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOX
                          Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOX
                          Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOX
                          Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOX
                          Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOX
                          Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOX
                          Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOX
                          Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOX
                          Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOX
                          Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOX
                          Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOX
                          Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOX
                          Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOX
                          Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOX
                          Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOX
                          Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOX
                          Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOX
                          Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOX
                          Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOX
                          Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOX
                          Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: FAILCRITICALERRORS | NOGPFAULTERRORBOX
                          Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOX
                          Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: FAILCRITICALERRORS | NOGPFAULTERRORBOX
                          Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOX
                          Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: FAILCRITICALERRORS | NOGPFAULTERRORBOX
                          Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOX
                          Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: FAILCRITICALERRORS | NOGPFAULTERRORBOX
                          Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOX
                          Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: FAILCRITICALERRORS | NOGPFAULTERRORBOX
                          Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOX
                          Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOX
                          Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOX
                          Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOX
                          Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOX
                          Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOX
                          Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOX
                          Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOX
                          Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOX
                          Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOX
                          Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOX
                          Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOX
                          Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOX
                          Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOX
                          Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOX
                          Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOX
                          Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOX
                          Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOX
                          Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOX
                          Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOX
                          Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOX
                          Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOX
                          Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOX
                          Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOX
                          Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOX
                          Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOX
                          Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOX
                          Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOX
                          Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOX
                          Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOX
                          Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOX
                          Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOX
                          Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOX
                          Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOX
                          Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOX
                          Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOX
                          Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOX
                          Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOX
                          Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOX
                          Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOX
                          Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOX
                          Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOX
                          Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOX
                          Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOX
                          Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOX
                          Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOX
                          Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOX
                          Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: FAILCRITICALERRORS | NOGPFAULTERRORBOX
                          Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOX
                          Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: FAILCRITICALERRORS | NOGPFAULTERRORBOX
                          Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOX
                          Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: FAILCRITICALERRORS | NOGPFAULTERRORBOX
                          Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOX
                          Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: FAILCRITICALERRORS | NOGPFAULTERRORBOX
                          Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOX
                          Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: FAILCRITICALERRORS | NOGPFAULTERRORBOX
                          Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOX
                          Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOX
                          Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOX
                          Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOX
                          Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOX
                          Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOX
                          Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOX
                          Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOX
                          Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOX
                          Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOX
                          Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOX
                          Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOX
                          Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOX
                          Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOX
                          Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOX
                          Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOX
                          Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOX
                          Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOX
                          Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOX
                          Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOX
                          Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOX
                          Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOX
                          Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOX
                          Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOX
                          Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOX
                          Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOX
                          Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOX
                          Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOX
                          Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOX
                          Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOX
                          Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOX
                          Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOX
                          Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOX
                          Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOX
                          Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOX
                          Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOX
                          Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOX
                          Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOX
                          Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOX
                          Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOX
                          Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOX
                          Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOX
                          Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOX
                          Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOX
                          Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOX
                          Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOX
                          Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOX
                          Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: FAILCRITICALERRORS | NOGPFAULTERRORBOX
                          Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOX
                          Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: FAILCRITICALERRORS | NOGPFAULTERRORBOX
                          Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOX
                          Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: FAILCRITICALERRORS | NOGPFAULTERRORBOX
                          Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOX
                          Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: FAILCRITICALERRORS | NOGPFAULTERRORBOX
                          Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOX
                          Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: FAILCRITICALERRORS | NOGPFAULTERRORBOX
                          Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOX
                          Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOX
                          Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOX
                          Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOX
                          Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOX
                          Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOX
                          Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOX
                          Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOX
                          Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOX
                          Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOX
                          Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOX
                          Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOX
                          Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOX
                          Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOX
                          Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOX
                          Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOX
                          Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOX
                          Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOX
                          Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOX
                          Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOX
                          Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOX
                          Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOX
                          Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOX
                          Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOX
                          Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOX
                          Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOX
                          Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOX
                          Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOX
                          Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOX
                          Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOX
                          Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOX
                          Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOX
                          Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOX
                          Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOX
                          Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOX
                          Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOX
                          Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOX
                          Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOX
                          Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOX
                          Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOX
                          Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOX
                          Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOX
                          Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOX
                          Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOX
                          Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOX
                          Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOX
                          Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOX
                          Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: FAILCRITICALERRORS | NOGPFAULTERRORBOX
                          Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOX
                          Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: FAILCRITICALERRORS | NOGPFAULTERRORBOX
                          Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOX
                          Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: FAILCRITICALERRORS | NOGPFAULTERRORBOX
                          Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOX
                          Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: FAILCRITICALERRORS | NOGPFAULTERRORBOX
                          Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOX
                          Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: FAILCRITICALERRORS | NOGPFAULTERRORBOX
                          Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOX
                          Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOX
                          Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOX
                          Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOX
                          Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOX
                          Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOX
                          Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOX
                          Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOX
                          Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOX
                          Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOX
                          Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOX
                          Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOX
                          Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOX
                          Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOX
                          Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOX
                          Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOX
                          Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOX
                          Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOX
                          Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOX
                          Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOX
                          Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOX
                          Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOX
                          Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOX
                          Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOX
                          Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOX
                          Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOX
                          Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOX
                          Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOX
                          Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOX
                          Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOX
                          Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOX
                          Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOX
                          Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOX
                          Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOX
                          Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOX
                          Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOX
                          Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOX
                          Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOX
                          Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOX
                          Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOX
                          Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOX
                          Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOX
                          Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOX
                          Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOX
                          Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOX
                          Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOX
                          Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOX
                          Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: FAILCRITICALERRORS | NOGPFAULTERRORBOX
                          Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOX
                          Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: FAILCRITICALERRORS | NOGPFAULTERRORBOX
                          Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOX
                          Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: FAILCRITICALERRORS | NOGPFAULTERRORBOX
                          Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOX
                          Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: FAILCRITICALERRORS | NOGPFAULTERRORBOX
                          Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOX
                          Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: FAILCRITICALERRORS | NOGPFAULTERRORBOX
                          Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOX
                          Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOX
                          Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOX
                          Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOX
                          Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOX
                          Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOX
                          Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOX
                          Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOX
                          Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOX
                          Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOX
                          Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOX
                          Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOX
                          Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOX
                          Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOX
                          Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOX
                          Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOX
                          Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOX
                          Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOX
                          Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOX
                          Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOX
                          Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOX
                          Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOX
                          Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOX
                          Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOX
                          Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOX
                          Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOX
                          Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOX
                          Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOX
                          Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOX
                          Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOX
                          Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOX
                          Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOX
                          Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOX
                          Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOX
                          Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOX
                          Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOX
                          Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOX
                          Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOX
                          Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOX
                          Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOX
                          Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOX
                          Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOX
                          Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOX
                          Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOX
                          Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOX
                          Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOX
                          Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOX
                          Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: FAILCRITICALERRORS | NOGPFAULTERRORBOX
                          Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOX
                          Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: FAILCRITICALERRORS | NOGPFAULTERRORBOX
                          Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOX
                          Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: FAILCRITICALERRORS | NOGPFAULTERRORBOX
                          Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOX
                          Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: FAILCRITICALERRORS | NOGPFAULTERRORBOX
                          Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOX
                          Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: FAILCRITICALERRORS | NOGPFAULTERRORBOX
                          Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOX
                          Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOX
                          Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOX
                          Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOX
                          Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOX
                          Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOX
                          Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOX
                          Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOX
                          Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOX
                          Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOX
                          Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOX
                          Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOX
                          Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOX
                          Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOX
                          Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOX
                          Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOX
                          Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOX
                          Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOX
                          Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOX
                          Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOX
                          Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOX
                          Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOX
                          Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOX
                          Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOX
                          Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOX
                          Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOX
                          Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOX
                          Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOX
                          Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOX
                          Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOX
                          Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOX
                          Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOX
                          Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOX
                          Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOX
                          Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOX
                          Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOX
                          Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOX
                          Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOX
                          Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOX
                          Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOX
                          Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOX
                          Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOX
                          Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOX
                          Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOX
                          Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOX
                          Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOX
                          Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOX
                          Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: FAILCRITICALERRORS | NOGPFAULTERRORBOX
                          Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOX
                          Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: FAILCRITICALERRORS | NOGPFAULTERRORBOX
                          Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOX
                          Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: FAILCRITICALERRORS | NOGPFAULTERRORBOX
                          Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOX
                          Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: FAILCRITICALERRORS | NOGPFAULTERRORBOX
                          Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOX
                          Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: FAILCRITICALERRORS | NOGPFAULTERRORBOX
                          Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOX
                          Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOX
                          Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOX
                          Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOX
                          Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOX
                          Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOX
                          Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOX
                          Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOX
                          Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOX
                          Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOX
                          Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOX
                          Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOX
                          Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOX
                          Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOX
                          Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOX
                          Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOX
                          Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOX
                          Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOX
                          Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOX
                          Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOX
                          Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOX
                          Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOX
                          Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOX
                          Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOX
                          Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOX
                          Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOX
                          Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOX
                          Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOX
                          Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOX
                          Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOX
                          Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOX
                          Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOX
                          Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOX
                          Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOX
                          Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOX
                          Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOX
                          Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOX
                          Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOX
                          Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOX
                          Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOX
                          Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOX
                          Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOX
                          Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOX

                          Malware Analysis System Evasion

                          barindex
                          Country aware sample found (crashes after keyboard check)
                          Source: c:\users\user\desktop\dendy.exeEvent Logs and Signature results: Application crash and keyboard check
                          Found API chain indicative of sandbox detection
                          Source: C:\ProgramData\MPGPH131\MPGPH131.exeSandbox detection routine: GetCursorPos, DecisionNode, Sleep
                          Source: C:\Users\user\Desktop\dendy.exeSandbox detection routine: GetCursorPos, DecisionNode, Sleepgraph_0-53224
                          Found evasive API chain (may stop execution after checking mutex)
                          Source: C:\ProgramData\MPGPH131\MPGPH131.exeEvasive API call chain: CreateMutex,DecisionNodes,Sleep
                          Source: C:\Users\user\Desktop\dendy.exeEvasive API call chain: CreateMutex,DecisionNodes,Sleepgraph_0-50515
                          Found evasive API chain (may stop execution after reading information in the PEB, e.g. number of processors)
                          Source: C:\ProgramData\MPGPH131\MPGPH131.exeEvasive API call chain: GetPEB, DecisionNodes, Sleep
                          Source: C:\Users\user\Desktop\dendy.exeEvasive API call chain: GetPEB, DecisionNodes, Sleepgraph_0-50709
                          Found stalling execution ending in API Sleep call
                          Source: C:\Users\user\Desktop\dendy.exeStalling execution: Execution stalls by calling Sleepgraph_0-50522
                          Source: C:\ProgramData\MPGPH131\MPGPH131.exeStalling execution: Execution stalls by calling Sleep
                          Source: C:\Users\user\Desktop\dendy.exeCode function: GetCursorPos,GetCursorPos,GetCursorPos,Sleep,GetCursorPos,Sleep,GetCursorPos,0_2_0045D9F0
                          Source: C:\ProgramData\MPGPH131\MPGPH131.exeCode function: GetCursorPos,GetCursorPos,GetCursorPos,Sleep,GetCursorPos,Sleep,GetCursorPos,8_2_0045D9F0
                          Source: C:\Users\user\Desktop\dendy.exeDecision node followed by non-executed suspicious API: DecisionNode, Non Executed (send or recv or WinExec)graph_0-50641
                          Source: C:\ProgramData\MPGPH131\MPGPH131.exeDecision node followed by non-executed suspicious API: DecisionNode, Non Executed (send or recv or WinExec)
                          Source: C:\ProgramData\MPGPH131\MPGPH131.exeEvasive API call chain: GetSystemTimeAsFileTime,DecisionNodes
                          Source: C:\Users\user\Desktop\dendy.exe TID: 7020Thread sleep count: 31 > 30Jump to behavior
                          Source: C:\Users\user\Desktop\dendy.exe TID: 7020Thread sleep count: 61 > 30Jump to behavior
                          Source: C:\Users\user\Desktop\dendy.exe TID: 7020Thread sleep count: 78 > 30Jump to behavior
                          Source: C:\ProgramData\MPGPH131\MPGPH131.exe TID: 6780Thread sleep count: 60 > 30Jump to behavior
                          Source: C:\ProgramData\MPGPH131\MPGPH131.exe TID: 6780Thread sleep count: 33 > 30Jump to behavior
                          Source: C:\ProgramData\MPGPH131\MPGPH131.exe TID: 6780Thread sleep count: 52 > 30Jump to behavior
                          Source: C:\ProgramData\MPGPH131\MPGPH131.exe TID: 6780Thread sleep count: 102 > 30Jump to behavior
                          Source: C:\ProgramData\MPGPH131\MPGPH131.exe TID: 7160Thread sleep count: 56 > 30
                          Source: C:\ProgramData\MPGPH131\MPGPH131.exe TID: 7160Thread sleep count: 54 > 30
                          Source: C:\ProgramData\MPGPH131\MPGPH131.exe TID: 7160Thread sleep count: 105 > 30
                          Source: C:\Users\user\AppData\Local\RageMP131\RageMP131.exe TID: 6256Thread sleep count: 70 > 30
                          Source: C:\Users\user\AppData\Local\RageMP131\RageMP131.exe TID: 6256Thread sleep count: 122 > 30
                          Source: C:\Windows\System32\conhost.exeLast function: Thread delayed
                          Source: C:\Windows\System32\conhost.exeLast function: Thread delayed
                          Source: C:\Users\user\Desktop\dendy.exeCode function: 0_2_00464270 GetKeyboardLayoutList followed by cmp: cmp esi, edi and CTI: je 00464293h0_2_00464270
                          Source: C:\Users\user\Desktop\dendy.exeCode function: 0_2_004624B0 GetKeyboardLayoutList followed by cmp: cmp eax, 2eh and CTI: jc 004624C0h country: Upper Sorbian (hsb)0_2_004624B0
                          Source: C:\ProgramData\MPGPH131\MPGPH131.exeCode function: 8_2_00464270 GetKeyboardLayoutList followed by cmp: cmp esi, edi and CTI: je 00464293h8_2_00464270
                          Source: C:\ProgramData\MPGPH131\MPGPH131.exeCode function: 8_2_004624B0 GetKeyboardLayoutList followed by cmp: cmp eax, 2eh and CTI: jc 004624C0h country: Upper Sorbian (hsb)8_2_004624B0
                          Source: C:\Users\user\Desktop\dendy.exeCode function: 0_2_00492190 GetSystemTime followed by cmp: cmp eax, 04h and CTI: jc 004921D1h0_2_00492190
                          Source: C:\ProgramData\MPGPH131\MPGPH131.exeCode function: 8_2_00492190 GetSystemTime followed by cmp: cmp eax, 04h and CTI: jc 004921D1h8_2_00492190
                          Source: C:\Users\user\Desktop\dendy.exeCode function: 0_2_0040E7B0 CreateDirectoryA,FindFirstFileA,CreateDirectoryA,CopyFileA,FindNextFileA,FindClose,GetLastError,GetLastError,CreateDirectoryA,SHGetFolderPathA,CreateDirectoryA,CreateDirectoryA,CreateDirectoryA,CreateDirectoryA,0_2_0040E7B0
                          Source: C:\Users\user\Desktop\dendy.exeCode function: 0_2_004DB1CB FindClose,FindFirstFileExW,GetLastError,0_2_004DB1CB
                          Source: C:\Users\user\Desktop\dendy.exeCode function: 0_2_0040B300 GetDateFormatW,FindFirstFileA,SetFileAttributesA,DeleteFileA,FindNextFileA,FindClose,GetLastError,SetFileAttributesA,GetLastError,RemoveDirectoryA,GetLastError,GetLastError,std::_Throw_Cpp_error,std::_Throw_Cpp_error,0_2_0040B300
                          Source: C:\Users\user\Desktop\dendy.exeCode function: 0_2_0041FA10 FindFirstFileA,FindNextFileA,GetLastError,FindClose,0_2_0041FA10
                          Source: C:\ProgramData\MPGPH131\MPGPH131.exeCode function: 8_2_0040E7B0 CreateDirectoryA,FindFirstFileA,CreateDirectoryA,CopyFileA,FindNextFileA,FindClose,GetLastError,GetLastError,CreateDirectoryA,SHGetFolderPathA,CreateDirectoryA,CreateDirectoryA,CreateDirectoryA,CreateDirectoryA,8_2_0040E7B0
                          Source: C:\ProgramData\MPGPH131\MPGPH131.exeCode function: 8_2_004DB1CB FindClose,FindFirstFileExW,GetLastError,8_2_004DB1CB
                          Source: C:\ProgramData\MPGPH131\MPGPH131.exeCode function: 8_2_0040B300 GetDateFormatW,FindFirstFileA,SetFileAttributesA,DeleteFileA,FindNextFileA,FindClose,GetLastError,SetFileAttributesA,GetLastError,RemoveDirectoryA,GetLastError,GetLastError,std::_Throw_Cpp_error,std::_Throw_Cpp_error,8_2_0040B300
                          Source: C:\ProgramData\MPGPH131\MPGPH131.exeCode function: 8_2_0041FA10 FindFirstFileA,FindNextFileA,GetLastError,FindClose,8_2_0041FA10
                          Source: C:\ProgramData\MPGPH131\MPGPH131.exeCode function: 8_2_0043EAEB FindFirstFileA,FindNextFileA,FindClose,CreateDirectoryA,CreateDirectoryA,CreateDirectoryA,CopyFileA,CreateDirectoryA,CopyFileA,CopyFileA,8_2_0043EAEB
                          Source: C:\ProgramData\MPGPH131\MPGPH131.exeCode function: 8_2_004DB251 GetFileAttributesExW,GetLastError,FindFirstFileW,GetLastError,FindClose,___std_fs_open_handle@16,GetFileInformationByHandleEx,GetLastError,GetFileInformationByHandleEx,GetFileInformationByHandleEx,8_2_004DB251
                          Source: C:\ProgramData\MPGPH131\MPGPH131.exeCode function: 8_2_0043FBB9 FindFirstFileA,FindNextFileA,GetLastError,FindClose,CreateFileA,GetFileSize,ReadFile,CloseHandle,8_2_0043FBB9
                          Source: C:\ProgramData\MPGPH131\MPGPH131.exeCode function: 8_2_04B3B4B8 GetFileAttributesExW,GetLastError,FindFirstFileW,GetLastError,FindClose,___std_fs_open_handle@16,GetFileInformationByHandleEx,GetLastError,GetFileInformationByHandleEx,GetFileInformationByHandleEx,8_2_04B3B4B8
                          Source: C:\ProgramData\MPGPH131\MPGPH131.exeCode function: 8_2_04B3B432 FindClose,FindFirstFileExW,GetLastError,8_2_04B3B432
                          Source: C:\Users\user\Desktop\dendy.exeCode function: 0_2_0040CD50 RegOpenKeyExA,RegQueryValueExA,RegCloseKey,GetCurrentHwProfileA,GetModuleHandleExA,GetModuleFileNameA,RegOpenKeyExA,RegQueryValueExA,RegCloseKey,GetComputerNameA,GetUserNameA,GetDesktopWindow,GetWindowRect,GetUserDefaultLocaleName,GetKeyboardLayoutList,GetKeyboardLayoutList,LocalAlloc,GetKeyboardLayoutList,GetLocaleInfoA,LocalFree,GetLocalTime,GetSystemTime,GetTimeZoneInformation,TzSpecificLocalTimeToSystemTime,RegOpenKeyExA,RegQueryValueExA,RegCloseKey,GetSystemInfo,GlobalMemoryStatusEx,EnumDisplayDevicesA,EnumDisplayDevicesA,CreateToolhelp32Snapshot,Process32First,Process32Next,Process32Next,CloseHandle,RegOpenKeyExA,RegEnumKeyExA,wsprintfA,RegOpenKeyExA,RegQueryValueExA,RegQueryValueExA,RegCloseKey,RegCloseKey,0_2_0040CD50
                          Source: C:\Windows\SysWOW64\WerFault.exeFile opened: C:\ProgramData\Microsoft\Windows\WER\ReportQueue\
                          Source: C:\Windows\SysWOW64\WerFault.exeFile opened: C:\ProgramData\Microsoft\Windows\
                          Source: C:\Windows\SysWOW64\WerFault.exeFile opened: C:\ProgramData\Microsoft\Windows\WER\
                          Source: C:\Windows\SysWOW64\WerFault.exeFile opened: C:\ProgramData\Microsoft\Windows\WER\ReportQueue
                          Source: C:\Windows\SysWOW64\WerFault.exeFile opened: C:\ProgramData\Microsoft\Windows\WER\ReportQueue\AppCrash_dendy.exe_aa9f15d75e87e911f42a0812ef56c2977edd110_fa985918_b25a0167-156e-47da-8b75-d9e08c1e0ac7\
                          Source: C:\Windows\SysWOW64\WerFault.exeFile opened: C:\ProgramData\Microsoft\Windows\WER\ReportQueue\AppCrash_MPGPH131.exe_8da9ded6fcd3711f80e32889caff945e9691e_62a9ba1a_4f7c52ae-a147-40d8-a3f2-8a9bebe00511\
                          Source: Amcache.hve.7.drBinary or memory string: VMware
                          Source: RageMP131.exe, 0000001A.00000002.2495191919.0000000003050000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: SCSI\DISK&VEN_VMWARE&PROD_VIRTUAL_DISK\4&1656F219&0&000000&n
                          Source: Amcache.hve.7.drBinary or memory string: Ascsi/cdrom&ven_necvmwar&prod_vmware_sata_cd00/4&224f42ef&0&000000
                          Source: dendy.exe, 00000000.00000002.2500954846.0000000002EB5000.00000004.00000020.00020000.00000000.sdmp, dendy.exe, 00000000.00000003.2415846117.0000000002EB5000.00000004.00000020.00020000.00000000.sdmp, MPGPH131.exe, 00000008.00000002.2508595887.0000000002F92000.00000004.00000020.00020000.00000000.sdmp, MPGPH131.exe, 00000008.00000002.2508595887.0000000002F57000.00000004.00000020.00020000.00000000.sdmp, MPGPH131.exe, 00000009.00000002.2342275444.0000000002EF2000.00000004.00000020.00020000.00000000.sdmp, MPGPH131.exe, 00000009.00000003.2119466041.0000000002EF2000.00000004.00000020.00020000.00000000.sdmp, RageMP131.exe, 0000001A.00000002.2495191919.00000000030A9000.00000004.00000020.00020000.00000000.sdmp, RageMP131.exe, 0000001A.00000003.2218615210.00000000030D4000.00000004.00000020.00020000.00000000.sdmp, RageMP131.exe, 0000001A.00000002.2495191919.00000000030D4000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: Hyper-V RAW
                          Source: RageMP131.exe, 0000001A.00000003.2218615210.00000000030D4000.00000004.00000020.00020000.00000000.sdmp, RageMP131.exe, 0000001A.00000002.2495191919.00000000030D4000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: Hyper-V RAWen-GBn
                          Source: MPGPH131.exe, 00000008.00000003.1787082883.0000000002F70000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: \\?\SCSI#Disk&Ven_VMware&Prod_Virtual_disk#4&1656f219&0&000000#{53f56307-b6bf-11d0-94f2-00a0c91efb8b}
                          Source: Amcache.hve.7.drBinary or memory string: pci\ven_15ad&dev_0740&subsys_074015ad,pci\ven_15ad&dev_0740,root\vmwvmcihostdev
                          Source: MPGPH131.exe, 00000009.00000003.2307496857.0000000007848000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: 9e146be9-c76a-4720-bcdb-53011b87bd06_{a33c7340-61ca-11ee-8c18-806e6f6e6963}_\\?\scsi#disk&ven_vmware&prod_virtual_disk#4&1656f219&0&000000#{53f56307-b6bf-11d0-94f2-00a0c91efb8b}_BFCABCAF
                          Source: MPGPH131.exe, 00000008.00000002.2508595887.0000000002F00000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: SCSI\DISK&VEN_VMWARE&PROD_VIRTUAL_DISK\4&1656F219&0&000000&
                          Source: MPGPH131.exe, 00000009.00000003.2307496857.0000000007848000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: \\?\scsi#disk&ven_vmware&prod_virtual_disk#4&1656f219&0&000000#{53f56307-b6bf-11d0-94f2-00a0c91efb8b}j
                          Source: Amcache.hve.7.drBinary or memory string: vmci.sys
                          Source: MPGPH131.exe, 00000008.00000003.2410074087.00000000079A2000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: \\?\scsi#disk&ven_vmware&prod_virtual_disk#4&1656f219&0&000000#{53f56307-b6bf-11d0-94f2-00a0c91efb8b}d
                          Source: dendy.exe, 00000000.00000003.1745606759.0000000002EA1000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: \\?\SCSI#Disk&Ven_VMware&Prod_Virtual_disk#4&1656f219&0&000000#{53f56307-b6bf-11d0-94f2-00a0c91efb8b}p;
                          Source: MPGPH131.exe, 00000008.00000003.2410074087.00000000079A2000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: \\?\scsi#disk&ven_vmware&prod_virtual_disk#4&1656f219&0&000000#{53f56307-b6bf-11d0-94f2-00a0c91efb8b}b
                          Source: dendy.exe, 00000000.00000002.2500536171.0000000002E30000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: SCSI\DISK&VEN_VMWARE&PROD_VIRTUAL_DISK\4&1656F219&0&000000&R:
                          Source: Amcache.hve.7.drBinary or memory string: VMware20,1
                          Source: Amcache.hve.7.drBinary or memory string: Microsoft Hyper-V Generation Counter
                          Source: Amcache.hve.7.drBinary or memory string: NECVMWar VMware SATA CD00
                          Source: Amcache.hve.7.drBinary or memory string: VMware Virtual disk SCSI Disk Device
                          Source: Amcache.hve.7.drBinary or memory string: scsi\diskvmware__virtual_disk____2.0_,scsi\diskvmware__virtual_disk____,scsi\diskvmware__,scsi\vmware__virtual_disk____2,vmware__virtual_disk____2,gendisk
                          Source: Amcache.hve.7.drBinary or memory string: Microsoft Hyper-V Virtualization Infrastructure Driver
                          Source: Amcache.hve.7.drBinary or memory string: VMware PCI VMCI Bus Device
                          Source: RageMP131.exe, 0000001A.00000002.2496030568.0000000007967000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: \\?\scsi#disk&ven_vmware&prod_virtual_disk#4&1656f219&0&000000#{53f56307-b6bf-11d0-94f2-00a0c91efb8b}U
                          Source: Amcache.hve.7.drBinary or memory string: VMware VMCI Bus Device
                          Source: Amcache.hve.7.drBinary or memory string: VMware Virtual RAM
                          Source: Amcache.hve.7.drBinary or memory string: BiosVendor:VMware, Inc.,BiosVersion:VMW201.00V.20829224.B64.2211211842,BiosReleaseDate:11/21/2022,BiosMajorRelease:0xff,BiosMinorRelease:0xff,SystemManufacturer:VMware, Inc.,SystemProduct:VMware20,1,SystemFamily:,SystemSKUNumber:,BaseboardManufacturer:,BaseboardProduct:,BaseboardVersion:,EnclosureType:0x1
                          Source: RageMP131.exe, 0000001A.00000002.2495191919.00000000030BB000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: \\?\scsi#disk&ven_vmware&prod_virtual_disk#4&1656f219&0&000000#{53f56307-b6bf-11d0-94f2-00a0c91efb8b}M
                          Source: Amcache.hve.7.drBinary or memory string: vmci.inf_amd64_68ed49469341f563
                          Source: Amcache.hve.7.drBinary or memory string: VMware Virtual USB Mouse
                          Source: MPGPH131.exe, 00000009.00000003.1783804935.0000000002EC8000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: \\?\SCSI#Disk&Ven_VMware&Prod_Virtual_disk#4&1656f219&0&000000#{53f56307-b6bf-11d0-94f2-00a0c91efb8b}b
                          Source: Amcache.hve.7.drBinary or memory string: vmci.syshbin
                          Source: Amcache.hve.7.drBinary or memory string: VMware, Inc.
                          Source: RageMP131.exe, 0000001A.00000003.2392293405.0000000007981000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: \\?\scsi#disk&ven_vmware&prod_virtual_disk#4&1656f219&0&000000#{53f56307-b6bf-11d0-94f2-00a0c91efb8b}
                          Source: MPGPH131.exe, 00000009.00000002.2342275444.0000000002EB0000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: Hyper-V RAW@:
                          Source: Amcache.hve.7.drBinary or memory string: VMware20,1hbin@
                          Source: Amcache.hve.7.drBinary or memory string: c:\windows\system32\driverstore\filerepository\vmci.inf_amd64_68ed49469341f563
                          Source: Amcache.hve.7.drBinary or memory string: .Z$c:/windows/system32/drivers/vmci.sys
                          Source: RageMP131.exe, 0000001A.00000003.1939608500.00000000030C0000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: \\?\SCSI#Disk&Ven_VMware&Prod_Virtual_disk#4&1656f219&0&000000#{53f56307-b6bf-11d0-94f2-00a0c91efb8b}L
                          Source: Amcache.hve.7.drBinary or memory string: :scsi/disk&ven_vmware&prod_virtual_disk/4&1656f219&0&000000
                          Source: MPGPH131.exe, 00000009.00000002.2342275444.0000000002EBC000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: \\?\scsi#disk&ven_vmware&prod_virtual_disk#4&1656f219&0&000000#{53f56307-b6bf-11d0-94f2-00a0c91efb8b}v
                          Source: Amcache.hve.7.drBinary or memory string: c:/windows/system32/drivers/vmci.sys
                          Source: Amcache.hve.7.drBinary or memory string: scsi/cdrom&ven_necvmwar&prod_vmware_sata_cd00/4&224f42ef&0&000000
                          Source: Amcache.hve.7.drBinary or memory string: VMware-56 4d 43 71 48 15 3d ed-ae e6 c7 5a ec d9 3b f0
                          Source: dendy.exe, 00000000.00000002.2500954846.0000000002EB5000.00000004.00000020.00020000.00000000.sdmp, dendy.exe, 00000000.00000003.2415846117.0000000002EB5000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: Hyper-V RAWen-GBn<
                          Source: dendy.exe, 00000000.00000002.2500536171.0000000002E90000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: Hyper-V RAWxU
                          Source: Amcache.hve.7.drBinary or memory string: vmci.syshbin`
                          Source: Amcache.hve.7.drBinary or memory string: \driver\vmci,\driver\pci
                          Source: MPGPH131.exe, 00000008.00000002.2508595887.0000000002F92000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: Hyper-V RAWen-GBnK
                          Source: Amcache.hve.7.drBinary or memory string: scsi/disk&ven_vmware&prod_virtual_disk/4&1656f219&0&000000
                          Source: Amcache.hve.7.drBinary or memory string: scsi\cdromnecvmwarvmware_sata_cd001.00,scsi\cdromnecvmwarvmware_sata_cd00,scsi\cdromnecvmwar,scsi\necvmwarvmware_sata_cd001,necvmwarvmware_sata_cd001,gencdrom
                          Source: MPGPH131.exe, 00000009.00000002.2342275444.0000000002E60000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: SCSI\DISK&VEN_VMWARE&PROD_VIRTUAL_DISK\4&1656F219&0&000000&@
                          Source: dendy.exe, 00000000.00000003.2415846117.0000000002EB5000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: \\?\scsi#disk&ven_vmware&prod_virtual_disk#4&1656f219&0&000000#{53f56307-b6bf-11d0-94f2-00a0c91efb8b}@I
                          Source: C:\Users\user\Desktop\dendy.exeProcess information queried: ProcessInformationJump to behavior
                          Source: C:\Users\user\Desktop\dendy.exeProcess queried: DebugPortJump to behavior
                          Source: C:\Users\user\Desktop\dendy.exeProcess queried: DebugPortJump to behavior
                          Source: C:\Users\user\Desktop\dendy.exeProcess queried: DebugPortJump to behavior
                          Source: C:\Users\user\Desktop\dendy.exeProcess queried: DebugPortJump to behavior
                          Source: C:\ProgramData\MPGPH131\MPGPH131.exeProcess queried: DebugPortJump to behavior
                          Source: C:\ProgramData\MPGPH131\MPGPH131.exeProcess queried: DebugPortJump to behavior
                          Source: C:\ProgramData\MPGPH131\MPGPH131.exeProcess queried: DebugPortJump to behavior
                          Source: C:\ProgramData\MPGPH131\MPGPH131.exeProcess queried: DebugPortJump to behavior
                          Source: C:\ProgramData\MPGPH131\MPGPH131.exeProcess queried: DebugPort
                          Source: C:\ProgramData\MPGPH131\MPGPH131.exeProcess queried: DebugPort
                          Source: C:\ProgramData\MPGPH131\MPGPH131.exeProcess queried: DebugPort
                          Source: C:\ProgramData\MPGPH131\MPGPH131.exeProcess queried: DebugPort
                          Source: C:\Users\user\AppData\Local\RageMP131\RageMP131.exeProcess queried: DebugPort
                          Source: C:\Users\user\AppData\Local\RageMP131\RageMP131.exeProcess queried: DebugPort
                          Source: C:\Users\user\AppData\Local\RageMP131\RageMP131.exeProcess queried: DebugPort
                          Source: C:\Users\user\AppData\Local\RageMP131\RageMP131.exeProcess queried: DebugPort
                          Source: C:\Users\user\Desktop\dendy.exeCode function: 0_2_00414870 IsDebuggerPresent,0_2_00414870
                          Source: C:\Users\user\Desktop\dendy.exeCode function: 0_2_0045E5D4 CreateThread,FindCloseChangeNotification,Sleep,GetTempPathA,CreateDirectoryA,CreateDirectoryA,OutputDebugStringA,CreateDirectoryA,__ehfuncinfo$??2@YAPAXIABUnothrow_t@std@@@Z,OutputDebugStringA,CreateMutexA,GetLastError,Sleep,Sleep,Sleep,Sleep,shutdown,closesocket,Sleep,0_2_0045E5D4
                          Source: C:\Users\user\Desktop\dendy.exeCode function: 0_2_0045DDE5 LoadLibraryA,GetProcAddress,MessageBoxA,__ehfuncinfo$??2@YAPAXIABUnothrow_t@std@@@Z,GetProcessId,__ehfuncinfo$??2@YAPAXIABUnothrow_t@std@@@Z,SetThreadExecutionState,SetThreadExecutionState,SetThreadExecutionState,0_2_0045DDE5
                          Source: C:\Users\user\Desktop\dendy.exeCode function: 0_2_004160B0 mov ecx, dword ptr fs:[00000030h]0_2_004160B0
                          Source: C:\Users\user\Desktop\dendy.exeCode function: 0_2_0045E5D4 mov eax, dword ptr fs:[00000030h]0_2_0045E5D4
                          Source: C:\Users\user\Desktop\dendy.exeCode function: 0_2_0045E5D4 mov ecx, dword ptr fs:[00000030h]0_2_0045E5D4
                          Source: C:\Users\user\Desktop\dendy.exeCode function: 0_2_0043CA90 mov eax, dword ptr fs:[00000030h]0_2_0043CA90
                          Source: C:\Users\user\Desktop\dendy.exeCode function: 0_2_0045EA9C mov eax, dword ptr fs:[00000030h]0_2_0045EA9C
                          Source: C:\Users\user\Desktop\dendy.exeCode function: 0_2_0045EA9C mov eax, dword ptr fs:[00000030h]0_2_0045EA9C
                          Source: C:\Users\user\Desktop\dendy.exeCode function: 0_2_0045EA9C mov eax, dword ptr fs:[00000030h]0_2_0045EA9C
                          Source: C:\Users\user\Desktop\dendy.exeCode function: 0_2_0045EA9C mov eax, dword ptr fs:[00000030h]0_2_0045EA9C
                          Source: C:\Users\user\Desktop\dendy.exeCode function: 0_2_0045EA9C mov eax, dword ptr fs:[00000030h]0_2_0045EA9C
                          Source: C:\Users\user\Desktop\dendy.exeCode function: 0_2_0045EA9C mov eax, dword ptr fs:[00000030h]0_2_0045EA9C
                          Source: C:\Users\user\Desktop\dendy.exeCode function: 0_2_0045EA9C mov eax, dword ptr fs:[00000030h]0_2_0045EA9C
                          Source: C:\Users\user\Desktop\dendy.exeCode function: 0_2_0045EA9C mov eax, dword ptr fs:[00000030h]0_2_0045EA9C
                          Source: C:\Users\user\Desktop\dendy.exeCode function: 0_2_0045EA9C mov eax, dword ptr fs:[00000030h]0_2_0045EA9C
                          Source: C:\Users\user\Desktop\dendy.exeCode function: 0_2_0045EA9C mov eax, dword ptr fs:[00000030h]0_2_0045EA9C
                          Source: C:\Users\user\Desktop\dendy.exeCode function: 0_2_0045EA9C mov eax, dword ptr fs:[00000030h]0_2_0045EA9C
                          Source: C:\Users\user\Desktop\dendy.exeCode function: 0_2_0045EA9C mov eax, dword ptr fs:[00000030h]0_2_0045EA9C
                          Source: C:\Users\user\Desktop\dendy.exeCode function: 0_2_0045EA9C mov eax, dword ptr fs:[00000030h]0_2_0045EA9C
                          Source: C:\Users\user\Desktop\dendy.exeCode function: 0_2_0045EA9C mov eax, dword ptr fs:[00000030h]0_2_0045EA9C
                          Source: C:\Users\user\Desktop\dendy.exeCode function: 0_2_0045EA9C mov eax, dword ptr fs:[00000030h]0_2_0045EA9C
                          Source: C:\Users\user\Desktop\dendy.exeCode function: 0_2_0045EA9C mov eax, dword ptr fs:[00000030h]0_2_0045EA9C
                          Source: C:\Users\user\Desktop\dendy.exeCode function: 0_2_0041AB90 mov eax, dword ptr fs:[00000030h]0_2_0041AB90
                          Source: C:\Users\user\Desktop\dendy.exeCode function: 0_2_0045D9F0 mov eax, dword ptr fs:[00000030h]0_2_0045D9F0
                          Source: C:\Users\user\Desktop\dendy.exeCode function: 0_2_0045D9F0 mov eax, dword ptr fs:[00000030h]0_2_0045D9F0
                          Source: C:\Users\user\Desktop\dendy.exeCode function: 0_2_0045DDE5 mov eax, dword ptr fs:[00000030h]0_2_0045DDE5
                          Source: C:\Users\user\Desktop\dendy.exeCode function: 0_2_0045DDE5 mov eax, dword ptr fs:[00000030h]0_2_0045DDE5
                          Source: C:\Users\user\Desktop\dendy.exeCode function: 0_2_0045DDE5 mov eax, dword ptr fs:[00000030h]0_2_0045DDE5
                          Source: C:\Users\user\Desktop\dendy.exeCode function: 0_2_0045DDE5 mov eax, dword ptr fs:[00000030h]0_2_0045DDE5
                          Source: C:\Users\user\Desktop\dendy.exeCode function: 0_2_0041AB90 mov eax, dword ptr fs:[00000030h]0_2_0041AB90
                          Source: C:\Users\user\Desktop\dendy.exeCode function: 0_2_0041AB90 mov eax, dword ptr fs:[00000030h]0_2_0041AB90
                          Source: C:\Users\user\Desktop\dendy.exeCode function: 0_2_00414870 mov eax, dword ptr fs:[00000030h]0_2_00414870
                          Source: C:\ProgramData\MPGPH131\MPGPH131.exeCode function: 8_2_0045E5D4 mov eax, dword ptr fs:[00000030h]8_2_0045E5D4
                          Source: C:\ProgramData\MPGPH131\MPGPH131.exeCode function: 8_2_0045E5D4 mov ecx, dword ptr fs:[00000030h]8_2_0045E5D4
                          Source: C:\ProgramData\MPGPH131\MPGPH131.exeCode function: 8_2_0043CA90 mov eax, dword ptr fs:[00000030h]8_2_0043CA90
                          Source: C:\ProgramData\MPGPH131\MPGPH131.exeCode function: 8_2_0045EA9C mov eax, dword ptr fs:[00000030h]8_2_0045EA9C
                          Source: C:\ProgramData\MPGPH131\MPGPH131.exeCode function: 8_2_0045EA9C mov eax, dword ptr fs:[00000030h]8_2_0045EA9C
                          Source: C:\ProgramData\MPGPH131\MPGPH131.exeCode function: 8_2_0045EA9C mov eax, dword ptr fs:[00000030h]8_2_0045EA9C
                          Source: C:\ProgramData\MPGPH131\MPGPH131.exeCode function: 8_2_0045EA9C mov eax, dword ptr fs:[00000030h]8_2_0045EA9C
                          Source: C:\ProgramData\MPGPH131\MPGPH131.exeCode function: 8_2_0045EA9C mov eax, dword ptr fs:[00000030h]8_2_0045EA9C
                          Source: C:\ProgramData\MPGPH131\MPGPH131.exeCode function: 8_2_0045EA9C mov eax, dword ptr fs:[00000030h]8_2_0045EA9C
                          Source: C:\ProgramData\MPGPH131\MPGPH131.exeCode function: 8_2_0045EA9C mov eax, dword ptr fs:[00000030h]8_2_0045EA9C
                          Source: C:\ProgramData\MPGPH131\MPGPH131.exeCode function: 8_2_0045EA9C mov eax, dword ptr fs:[00000030h]8_2_0045EA9C
                          Source: C:\ProgramData\MPGPH131\MPGPH131.exeCode function: 8_2_0045EA9C mov eax, dword ptr fs:[00000030h]8_2_0045EA9C
                          Source: C:\ProgramData\MPGPH131\MPGPH131.exeCode function: 8_2_0045EA9C mov eax, dword ptr fs:[00000030h]8_2_0045EA9C
                          Source: C:\ProgramData\MPGPH131\MPGPH131.exeCode function: 8_2_0045EA9C mov eax, dword ptr fs:[00000030h]8_2_0045EA9C
                          Source: C:\ProgramData\MPGPH131\MPGPH131.exeCode function: 8_2_0045EA9C mov eax, dword ptr fs:[00000030h]8_2_0045EA9C
                          Source: C:\ProgramData\MPGPH131\MPGPH131.exeCode function: 8_2_0045EA9C mov eax, dword ptr fs:[00000030h]8_2_0045EA9C
                          Source: C:\ProgramData\MPGPH131\MPGPH131.exeCode function: 8_2_0045EA9C mov eax, dword ptr fs:[00000030h]8_2_0045EA9C
                          Source: C:\ProgramData\MPGPH131\MPGPH131.exeCode function: 8_2_0045EA9C mov eax, dword ptr fs:[00000030h]8_2_0045EA9C
                          Source: C:\ProgramData\MPGPH131\MPGPH131.exeCode function: 8_2_0045EA9C mov eax, dword ptr fs:[00000030h]8_2_0045EA9C
                          Source: C:\ProgramData\MPGPH131\MPGPH131.exeCode function: 8_2_0041AB90 mov eax, dword ptr fs:[00000030h]8_2_0041AB90
                          Source: C:\ProgramData\MPGPH131\MPGPH131.exeCode function: 8_2_0045D9F0 mov eax, dword ptr fs:[00000030h]8_2_0045D9F0
                          Source: C:\ProgramData\MPGPH131\MPGPH131.exeCode function: 8_2_0045D9F0 mov eax, dword ptr fs:[00000030h]8_2_0045D9F0
                          Source: C:\ProgramData\MPGPH131\MPGPH131.exeCode function: 8_2_0045DDE5 mov eax, dword ptr fs:[00000030h]8_2_0045DDE5
                          Source: C:\ProgramData\MPGPH131\MPGPH131.exeCode function: 8_2_0045DDE5 mov eax, dword ptr fs:[00000030h]8_2_0045DDE5
                          Source: C:\ProgramData\MPGPH131\MPGPH131.exeCode function: 8_2_0045DDE5 mov eax, dword ptr fs:[00000030h]8_2_0045DDE5
                          Source: C:\ProgramData\MPGPH131\MPGPH131.exeCode function: 8_2_0045DDE5 mov eax, dword ptr fs:[00000030h]8_2_0045DDE5
                          Source: C:\ProgramData\MPGPH131\MPGPH131.exeCode function: 8_2_0041AB90 mov eax, dword ptr fs:[00000030h]8_2_0041AB90
                          Source: C:\ProgramData\MPGPH131\MPGPH131.exeCode function: 8_2_004160B0 mov ecx, dword ptr fs:[00000030h]8_2_004160B0
                          Source: C:\ProgramData\MPGPH131\MPGPH131.exeCode function: 8_2_0041AB90 mov eax, dword ptr fs:[00000030h]8_2_0041AB90
                          Source: C:\ProgramData\MPGPH131\MPGPH131.exeCode function: 8_2_00414870 mov eax, dword ptr fs:[00000030h]8_2_00414870
                          Source: C:\ProgramData\MPGPH131\MPGPH131.exeCode function: 8_2_00414ED0 mov eax, dword ptr fs:[00000030h]8_2_00414ED0
                          Source: C:\ProgramData\MPGPH131\MPGPH131.exeCode function: 8_2_00414ED0 mov eax, dword ptr fs:[00000030h]8_2_00414ED0
                          Source: C:\ProgramData\MPGPH131\MPGPH131.exeCode function: 8_2_00414ED0 mov eax, dword ptr fs:[00000030h]8_2_00414ED0
                          Source: C:\ProgramData\MPGPH131\MPGPH131.exeCode function: 8_2_00414ED0 mov eax, dword ptr fs:[00000030h]8_2_00414ED0
                          Source: C:\ProgramData\MPGPH131\MPGPH131.exeCode function: 8_2_00414ED0 mov eax, dword ptr fs:[00000030h]8_2_00414ED0
                          Source: C:\ProgramData\MPGPH131\MPGPH131.exeCode function: 8_2_00414ED0 mov eax, dword ptr fs:[00000030h]8_2_00414ED0
                          Source: C:\ProgramData\MPGPH131\MPGPH131.exeCode function: 8_2_00414ED0 mov eax, dword ptr fs:[00000030h]8_2_00414ED0
                          Source: C:\ProgramData\MPGPH131\MPGPH131.exeCode function: 8_2_00414ED0 mov eax, dword ptr fs:[00000030h]8_2_00414ED0
                          Source: C:\ProgramData\MPGPH131\MPGPH131.exeCode function: 8_2_00414ED0 mov eax, dword ptr fs:[00000030h]8_2_00414ED0
                          Source: C:\ProgramData\MPGPH131\MPGPH131.exeCode function: 8_2_00414ED0 mov eax, dword ptr fs:[00000030h]8_2_00414ED0
                          Source: C:\ProgramData\MPGPH131\MPGPH131.exeCode function: 8_2_00414ED0 mov eax, dword ptr fs:[00000030h]8_2_00414ED0
                          Source: C:\ProgramData\MPGPH131\MPGPH131.exeCode function: 8_2_00414ED0 mov eax, dword ptr fs:[00000030h]8_2_00414ED0
                          Source: C:\ProgramData\MPGPH131\MPGPH131.exeCode function: 8_2_0041AB90 mov eax, dword ptr fs:[00000030h]8_2_0041AB90
                          Source: C:\ProgramData\MPGPH131\MPGPH131.exeCode function: 8_2_0041EF10 mov eax, dword ptr fs:[00000030h]8_2_0041EF10
                          Source: C:\ProgramData\MPGPH131\MPGPH131.exeCode function: 8_2_0041AB90 mov eax, dword ptr fs:[00000030h]8_2_0041AB90
                          Source: C:\ProgramData\MPGPH131\MPGPH131.exeCode function: 8_2_02E390A3 push dword ptr fs:[00000030h]8_2_02E390A3
                          Source: C:\ProgramData\MPGPH131\MPGPH131.exeCode function: 8_2_00482C80 GetProcessHeap,InternetOpenA,InternetOpenUrlA,InternetReadFile,InternetReadFile,InternetCloseHandle,InternetCloseHandle,8_2_00482C80
                          Source: C:\ProgramData\MPGPH131\MPGPH131.exeCode function: 8_2_004DD3B4 IsProcessorFeaturePresent,IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,8_2_004DD3B4
                          Source: C:\ProgramData\MPGPH131\MPGPH131.exeCode function: 8_2_004DD74D SetUnhandledExceptionFilter,UnhandledExceptionFilter,GetCurrentProcess,TerminateProcess,8_2_004DD74D
                          Source: C:\ProgramData\MPGPH131\MPGPH131.exeCode function: 8_2_004E1C94 IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,8_2_004E1C94

                          HIPS / PFW / Operating System Protection Evasion

                          barindex
                          Contains functionality to inject threads in other processes
                          Source: C:\ProgramData\MPGPH131\MPGPH131.exeCode function: 8_2_00418BB0 VirtualAllocEx,WriteProcessMemory,WriteProcessMemory,VirtualAllocEx,LoadLibraryA,GetProcAddress,WriteProcessMemory,WriteProcessMemory,CreateRemoteThread,WaitForSingleObject,8_2_00418BB0
                          Source: C:\Users\user\Desktop\dendy.exeCode function: 0_2_004149F0 cpuid 0_2_004149F0
                          Source: C:\Users\user\Desktop\dendy.exeCode function: RegOpenKeyExA,RegQueryValueExA,RegCloseKey,GetCurrentHwProfileA,GetModuleHandleExA,GetModuleFileNameA,RegOpenKeyExA,RegQueryValueExA,RegCloseKey,GetComputerNameA,GetUserNameA,GetDesktopWindow,GetWindowRect,GetUserDefaultLocaleName,GetKeyboardLayoutList,GetKeyboardLayoutList,LocalAlloc,GetKeyboardLayoutList,GetLocaleInfoA,LocalFree,GetLocalTime,GetSystemTime,GetTimeZoneInformation,TzSpecificLocalTimeToSystemTime,RegOpenKeyExA,RegQueryValueExA,RegCloseKey,GetSystemInfo,GlobalMemoryStatusEx,EnumDisplayDevicesA,EnumDisplayDevicesA,CreateToolhelp32Snapshot,Process32First,Process32Next,Process32Next,CloseHandle,RegOpenKeyExA,RegEnumKeyExA,wsprintfA,RegOpenKeyExA,RegQueryValueExA,RegQueryValueExA,RegCloseKey,RegCloseKey,0_2_0040CD50
                          Source: C:\Users\user\Desktop\dendy.exeCode function: EnumSystemLocalesW,0_2_004FC045
                          Source: C:\Users\user\Desktop\dendy.exeCode function: EnumSystemLocalesW,0_2_004FC090
                          Source: C:\Users\user\Desktop\dendy.exeCode function: EnumSystemLocalesW,0_2_004FC12B
                          Source: C:\Users\user\Desktop\dendy.exeCode function: GetLocaleInfoW,GetLocaleInfoW,GetLocaleInfoW,0_2_004FC1B6
                          Source: C:\Users\user\Desktop\dendy.exeCode function: EnumSystemLocalesW,0_2_004F43EA
                          Source: C:\Users\user\Desktop\dendy.exeCode function: GetLocaleInfoW,0_2_004FC409
                          Source: C:\Users\user\Desktop\dendy.exeCode function: GetLocaleInfoW,GetLocaleInfoW,GetACP,0_2_004FC532
                          Source: C:\Users\user\Desktop\dendy.exeCode function: GetLocaleInfoW,0_2_004FC638
                          Source: C:\Users\user\Desktop\dendy.exeCode function: GetUserDefaultLCID,IsValidCodePage,IsValidLocale,GetLocaleInfoW,GetLocaleInfoW,0_2_004FC70E
                          Source: C:\Users\user\Desktop\dendy.exeCode function: GetLocaleInfoW,0_2_004F496D
                          Source: C:\ProgramData\MPGPH131\MPGPH131.exeCode function: RegOpenKeyExA,RegQueryValueExA,RegCloseKey,GetCurrentHwProfileA,GetModuleHandleExA,GetModuleFileNameA,RegOpenKeyExA,RegQueryValueExA,RegCloseKey,GetComputerNameA,GetUserNameA,GetDesktopWindow,GetWindowRect,GetUserDefaultLocaleName,GetKeyboardLayoutList,GetKeyboardLayoutList,LocalAlloc,GetKeyboardLayoutList,GetLocaleInfoA,LocalFree,GetLocalTime,GetSystemTime,GetTimeZoneInformation,TzSpecificLocalTimeToSystemTime,RegOpenKeyExA,RegQueryValueExA,RegCloseKey,GetSystemInfo,GlobalMemoryStatusEx,EnumDisplayDevicesA,EnumDisplayDevicesA,CreateToolhelp32Snapshot,Process32First,Process32Next,Process32Next,CloseHandle,RegOpenKeyExA,RegEnumKeyExA,wsprintfA,RegOpenKeyExA,RegQueryValueExA,RegQueryValueExA,RegCloseKey,RegCloseKey,8_2_0040CD50
                          Source: C:\ProgramData\MPGPH131\MPGPH131.exeCode function: EnumSystemLocalesW,8_2_004FC045
                          Source: C:\ProgramData\MPGPH131\MPGPH131.exeCode function: EnumSystemLocalesW,8_2_004FC090
                          Source: C:\ProgramData\MPGPH131\MPGPH131.exeCode function: EnumSystemLocalesW,8_2_004FC12B
                          Source: C:\ProgramData\MPGPH131\MPGPH131.exeCode function: GetLocaleInfoW,GetLocaleInfoW,GetLocaleInfoW,8_2_004FC1B6
                          Source: C:\ProgramData\MPGPH131\MPGPH131.exeCode function: EnumSystemLocalesW,8_2_004F43EA
                          Source: C:\ProgramData\MPGPH131\MPGPH131.exeCode function: GetLocaleInfoW,8_2_004FC409
                          Source: C:\ProgramData\MPGPH131\MPGPH131.exeCode function: GetLocaleInfoW,GetLocaleInfoW,GetACP,8_2_004FC532
                          Source: C:\ProgramData\MPGPH131\MPGPH131.exeCode function: GetLocaleInfoW,8_2_004FC638
                          Source: C:\ProgramData\MPGPH131\MPGPH131.exeCode function: GetUserDefaultLCID,IsValidCodePage,IsValidLocale,GetLocaleInfoW,GetLocaleInfoW,8_2_004FC70E
                          Source: C:\ProgramData\MPGPH131\MPGPH131.exeCode function: GetLocaleInfoW,8_2_004F496D
                          Source: C:\ProgramData\MPGPH131\MPGPH131.exeCode function: GetLocaleInfoEx,FormatMessageA,8_2_004DAFC3
                          Source: C:\ProgramData\MPGPH131\MPGPH131.exeCode function: GetACP,IsValidCodePage,GetLocaleInfoW,8_2_004FBD99
                          Source: C:\ProgramData\MPGPH131\MPGPH131.exeCode function: GetLocaleInfoW,8_2_004FBF9E
                          Source: C:\Users\user\Desktop\dendy.exeRegistry key value queried: HKEY_LOCAL_MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0Jump to behavior
                          Source: C:\Users\user\Desktop\dendy.exeRegistry key value queried: HKEY_LOCAL_MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0Jump to behavior
                          Source: C:\ProgramData\MPGPH131\MPGPH131.exeRegistry key value queried: HKEY_LOCAL_MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0Jump to behavior
                          Source: C:\ProgramData\MPGPH131\MPGPH131.exeRegistry key value queried: HKEY_LOCAL_MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0Jump to behavior
                          Source: C:\ProgramData\MPGPH131\MPGPH131.exeRegistry key value queried: HKEY_LOCAL_MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0
                          Source: C:\ProgramData\MPGPH131\MPGPH131.exeRegistry key value queried: HKEY_LOCAL_MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0
                          Source: C:\Users\user\AppData\Local\RageMP131\RageMP131.exeRegistry key value queried: HKEY_LOCAL_MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0
                          Source: C:\Users\user\AppData\Local\RageMP131\RageMP131.exeRegistry key value queried: HKEY_LOCAL_MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0
                          Source: C:\Users\user\Desktop\dendy.exeQueries volume information: C:\ VolumeInformationJump to behavior
                          Source: C:\Users\user\Desktop\dendy.exeQueries volume information: C:\ VolumeInformationJump to behavior
                          Source: C:\ProgramData\MPGPH131\MPGPH131.exeQueries volume information: C:\ VolumeInformationJump to behavior
                          Source: C:\ProgramData\MPGPH131\MPGPH131.exeQueries volume information: C:\ VolumeInformationJump to behavior
                          Source: C:\ProgramData\MPGPH131\MPGPH131.exeQueries volume information: C:\ VolumeInformation
                          Source: C:\ProgramData\MPGPH131\MPGPH131.exeQueries volume information: C:\ VolumeInformation
                          Source: C:\Users\user\AppData\Local\RageMP131\RageMP131.exeQueries volume information: C:\ VolumeInformation
                          Source: C:\Users\user\AppData\Local\RageMP131\RageMP131.exeQueries volume information: C:\ VolumeInformation
                          Source: C:\Users\user\Desktop\dendy.exeCode function: 0_2_0040CD50 RegOpenKeyExA,RegQueryValueExA,RegCloseKey,GetCurrentHwProfileA,GetModuleHandleExA,GetModuleFileNameA,RegOpenKeyExA,RegQueryValueExA,RegCloseKey,GetComputerNameA,GetUserNameA,GetDesktopWindow,GetWindowRect,GetUserDefaultLocaleName,GetKeyboardLayoutList,GetKeyboardLayoutList,LocalAlloc,GetKeyboardLayoutList,GetLocaleInfoA,LocalFree,GetLocalTime,GetSystemTime,GetTimeZoneInformation,TzSpecificLocalTimeToSystemTime,RegOpenKeyExA,RegQueryValueExA,RegCloseKey,GetSystemInfo,GlobalMemoryStatusEx,EnumDisplayDevicesA,EnumDisplayDevicesA,CreateToolhelp32Snapshot,Process32First,Process32Next,Process32Next,CloseHandle,RegOpenKeyExA,RegEnumKeyExA,wsprintfA,RegOpenKeyExA,RegQueryValueExA,RegQueryValueExA,RegCloseKey,RegCloseKey,0_2_0040CD50
                          Source: C:\Users\user\Desktop\dendy.exeCode function: 0_2_00446020 CopyFileA,RegOpenKeyExA,RegSetValueExA,RegCloseKey,CopyFileA,GetUserNameA,CopyFileA,SHGetFolderPathA,CoInitialize,CoCreateInstance,MultiByteToWideChar,CoUninitialize,ShellExecuteA,0_2_00446020
                          Source: C:\Users\user\Desktop\dendy.exeCode function: 0_2_004F636F GetTimeZoneInformation,0_2_004F636F
                          Source: C:\Users\user\Desktop\dendy.exeCode function: 0_2_00491C30 GetVersionExA,CreateFileW,0_2_00491C30
                          Source: C:\Users\user\Desktop\dendy.exeKey value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Cryptography MachineGuidJump to behavior
                          Source: Amcache.hve.7.drBinary or memory string: c:\programdata\microsoft\windows defender\platform\4.18.23080.2006-0\msmpeng.exe
                          Source: Amcache.hve.7.drBinary or memory string: msmpeng.exe
                          Source: Amcache.hve.7.drBinary or memory string: c:\program files\windows defender\msmpeng.exe
                          Source: Amcache.hve.7.drBinary or memory string: MsMpEng.exe

                          Stealing of Sensitive Information

                          barindex
                          Yara detected RisePro Stealer
                          Source: Yara matchFile source: 0.2.dendy.exe.400000.0.unpack, type: UNPACKEDPE
                          Source: Yara matchFile source: 8.2.MPGPH131.exe.4a60e67.1.raw.unpack, type: UNPACKEDPE
                          Source: Yara matchFile source: 26.2.RageMP131.exe.4a40e67.1.raw.unpack, type: UNPACKEDPE
                          Source: Yara matchFile source: 0.2.dendy.exe.4a80e67.1.raw.unpack, type: UNPACKEDPE
                          Source: Yara matchFile source: 26.2.RageMP131.exe.400000.0.unpack, type: UNPACKEDPE
                          Source: Yara matchFile source: 9.3.MPGPH131.exe.4bc0000.0.raw.unpack, type: UNPACKEDPE
                          Source: Yara matchFile source: 8.3.MPGPH131.exe.4bb0000.0.raw.unpack, type: UNPACKEDPE
                          Source: Yara matchFile source: 26.3.RageMP131.exe.4b90000.0.raw.unpack, type: UNPACKEDPE
                          Source: Yara matchFile source: 0.2.dendy.exe.400000.0.raw.unpack, type: UNPACKEDPE
                          Source: Yara matchFile source: 9.2.MPGPH131.exe.400000.0.raw.unpack, type: UNPACKEDPE
                          Source: Yara matchFile source: 8.2.MPGPH131.exe.400000.0.unpack, type: UNPACKEDPE
                          Source: Yara matchFile source: 26.2.RageMP131.exe.400000.0.raw.unpack, type: UNPACKEDPE
                          Source: Yara matchFile source: 9.2.MPGPH131.exe.4a70e67.1.raw.unpack, type: UNPACKEDPE
                          Source: Yara matchFile source: 0.3.dendy.exe.4bd0000.0.raw.unpack, type: UNPACKEDPE
                          Source: Yara matchFile source: 8.2.MPGPH131.exe.400000.0.raw.unpack, type: UNPACKEDPE
                          Source: Yara matchFile source: 9.2.MPGPH131.exe.400000.0.unpack, type: UNPACKEDPE
                          Source: Yara matchFile source: 00000008.00000002.2510972800.0000000007981000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
                          Source: Yara matchFile source: 0000001A.00000002.2495191919.000000000305E000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
                          Source: Yara matchFile source: 00000000.00000002.2501929485.0000000007984000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
                          Source: Yara matchFile source: 00000009.00000002.2343911888.00000000077F0000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
                          Source: Yara matchFile source: 00000000.00000003.2415493241.0000000007984000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
                          Source: Yara matchFile source: 0000001A.00000002.2496030568.0000000007920000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
                          Source: Yara matchFile source: 00000000.00000002.2502097335.000000000799A000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
                          Source: Yara matchFile source: 0000001A.00000002.2495613605.0000000004A40000.00000040.00001000.00020000.00000000.sdmp, type: MEMORY
                          Source: Yara matchFile source: 00000008.00000002.2510035968.0000000004A60000.00000040.00001000.00020000.00000000.sdmp, type: MEMORY
                          Source: Yara matchFile source: 00000000.00000003.2415760901.0000000007999000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
                          Source: Yara matchFile source: 00000000.00000003.2415493241.0000000007995000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
                          Source: Yara matchFile source: 00000009.00000002.2340303087.0000000000400000.00000040.00000001.01000000.00000005.sdmp, type: MEMORY
                          Source: Yara matchFile source: 00000000.00000002.2501387878.0000000004A80000.00000040.00001000.00020000.00000000.sdmp, type: MEMORY
                          Source: Yara matchFile source: 00000008.00000003.1754038237.0000000004BB0000.00000004.00001000.00020000.00000000.sdmp, type: MEMORY
                          Source: Yara matchFile source: 0000001A.00000002.2493907103.0000000000400000.00000040.00000001.01000000.00000006.sdmp, type: MEMORY
                          Source: Yara matchFile source: 00000009.00000003.1754837586.0000000004BC0000.00000004.00001000.00020000.00000000.sdmp, type: MEMORY
                          Source: Yara matchFile source: 00000000.00000002.2499170949.0000000000400000.00000040.00000001.01000000.00000003.sdmp, type: MEMORY
                          Source: Yara matchFile source: 00000000.00000003.1719048251.0000000004BD0000.00000004.00001000.00020000.00000000.sdmp, type: MEMORY
                          Source: Yara matchFile source: 0000001A.00000003.1896337586.0000000004B90000.00000004.00001000.00020000.00000000.sdmp, type: MEMORY
                          Source: Yara matchFile source: 00000009.00000002.2343384935.0000000004A70000.00000040.00001000.00020000.00000000.sdmp, type: MEMORY
                          Source: Yara matchFile source: 00000008.00000002.2506460203.0000000000400000.00000040.00000001.01000000.00000005.sdmp, type: MEMORY
                          Source: Yara matchFile source: Process Memory Space: dendy.exe PID: 7028, type: MEMORYSTR
                          Source: Yara matchFile source: Process Memory Space: MPGPH131.exe PID: 6688, type: MEMORYSTR
                          Source: Yara matchFile source: Process Memory Space: MPGPH131.exe PID: 6996, type: MEMORYSTR
                          Source: Yara matchFile source: Process Memory Space: RageMP131.exe PID: 5164, type: MEMORYSTR
                          Source: Yara matchFile source: C:\Users\user\AppData\Local\Temp\c9bTQaLpRNBVsUoe4pkuQMW.zip, type: DROPPED
                          Source: Yara matchFile source: C:\Users\user\AppData\Local\Temp\6XWWeAeVicQTZ7HrJgfaAa9.zip, type: DROPPED
                          Source: Yara matchFile source: C:\Users\user\AppData\Local\Temp\7SoGIg_Dgh61RYTHw6zemBp.zip, type: DROPPED
                          Found many strings related to Crypto-Wallets (likely being stolen)
                          Source: dendy.exe, 00000000.00000003.2415734936.0000000002F28000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: C:\Users\user\AppData\Roaming\Electrum\wallets?
                          Source: dendy.exe, 00000000.00000003.2383566671.00000000079B8000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: \??\C:\Users\user\AppData\Roaming\ElectronCash\wallets
                          Source: dendy.exe, 00000000.00000003.2383566671.00000000079B8000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: \??\C:\Users\user\AppData\Roaming\Jaxx\Local Storage
                          Source: dendy.exe, 00000000.00000002.2500954846.0000000002EB5000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: C:\Users\user\AppData\Roaming\Exodus\exodus.wallet
                          Source: dendy.exe, 00000000.00000003.2415734936.0000000002F28000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: C:\Users\user\AppData\Roaming\Ethereum\wallets
                          Source: dendy.exe, 00000000.00000002.2500954846.0000000002EB5000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: C:\Users\user\AppData\Roaming\Exodus\exodus.wallet
                          Source: dendy.exe, 00000000.00000002.2500954846.0000000002F11000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: \??\C:\Users\user\AppData\Roaming\Binance\app-store.json
                          Source: dendy.exe, 00000000.00000003.2415734936.0000000002F28000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: C:\Users\user\AppData\Roaming\Ethereum\wallets
                          Source: dendy.exe, 00000000.00000002.2500954846.0000000002F11000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: \??\C:\Users\user\AppData\Local\Coinomi\Coinomi\wallets
                          Source: dendy.exe, 00000000.00000002.2500954846.0000000002F11000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: C:\Users\user\AppData\Roaming\MultiDoge\multidoge.wallet
                          Source: dendy.exe, 00000000.00000003.2415734936.0000000002F28000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: \??\C:\Users\user\AppData\Roaming\Ledger LiveY
                          Tries to harvest and steal browser information (history, passwords, etc)
                          Source: C:\Users\user\AppData\Local\RageMP131\RageMP131.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\kncchdigobghenbbaddojjnnaogfppfj\CURRENT
                          Source: C:\Users\user\AppData\Local\RageMP131\RageMP131.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\nkddgncdjgjfcddamfgcmfnlhccnimig\CURRENT
                          Source: C:\Users\user\AppData\Local\RageMP131\RageMP131.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Sync Extension Settings\fihkakfobkmkjojpchpfgcmhfjnmnfpi\CURRENT
                          Source: C:\Users\user\AppData\Local\RageMP131\RageMP131.exeFile opened: C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\z6bny8rn.default\places.sqlite
                          Source: C:\Users\user\AppData\Local\RageMP131\RageMP131.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\nanjmdknhkinifnkgdcggcfnhdaammmj\CURRENT
                          Source: C:\Users\user\AppData\Local\RageMP131\RageMP131.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\cphhlgmgameodnhkjdmkpanlelnlohao\CURRENT
                          Source: C:\Users\user\AppData\Local\RageMP131\RageMP131.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\kpfopkelmapcoipemfendmdcghnegimn\CURRENT
                          Source: C:\Users\user\AppData\Local\RageMP131\RageMP131.exeFile opened: C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\fqs92o4p.default-release\formhistory.sqlite
                          Source: C:\Users\user\AppData\Local\RageMP131\RageMP131.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\fihkakfobkmkjojpchpfgcmhfjnmnfpi\CURRENT
                          Source: C:\Users\user\AppData\Local\RageMP131\RageMP131.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Sync Extension Settings\kncchdigobghenbbaddojjnnaogfppfj\CURRENT
                          Source: C:\Users\user\AppData\Local\RageMP131\RageMP131.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\IndexedDB\chrome-extension_blnieiiffboillknjnepogjhkgnoapac_0.indexeddb.leveldb\CURRENT
                          Source: C:\Users\user\AppData\Local\RageMP131\RageMP131.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\IndexedDB\chrome-extension_cjelfplplebdjjenllpjcblmjkfcffne_0.indexeddb.leveldb\CURRENT
                          Source: C:\Users\user\AppData\Local\RageMP131\RageMP131.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Sync Extension Settings\nanjmdknhkinifnkgdcggcfnhdaammmj\CURRENT
                          Source: C:\Users\user\AppData\Local\RageMP131\RageMP131.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\amkmjjmmflddogmhpjloimipbofnfjih\CURRENT
                          Source: C:\Users\user\AppData\Local\RageMP131\RageMP131.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\nkbihfbeogaeaoehlefnkodbefgpgknn\CURRENT
                          Source: C:\Users\user\AppData\Local\RageMP131\RageMP131.exeFile opened: C:\Users\user\AppData\Roaming\Mozilla\Firefox\profiles.ini
                          Source: C:\Users\user\AppData\Local\RageMP131\RageMP131.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Sync Extension Settings\hpglfhgfnhbgpjdenjgmdgoeiappafln\CURRENT
                          Source: C:\Users\user\AppData\Local\RageMP131\RageMP131.exeFile opened: C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\z6bny8rn.default\signons.sqlite
                          Source: C:\Users\user\AppData\Local\RageMP131\RageMP131.exeFile opened: C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\fqs92o4p.default-release\logins.json
                          Source: C:\Users\user\AppData\Local\RageMP131\RageMP131.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Sync Extension Settings\blnieiiffboillknjnepogjhkgnoapac\CURRENT
                          Source: C:\Users\user\AppData\Local\RageMP131\RageMP131.exeFile opened: C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\z6bny8rn.default\formhistory.sqlite
                          Source: C:\Users\user\AppData\Local\RageMP131\RageMP131.exeFile opened: C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\fqs92o4p.default-release\places.sqlite
                          Source: C:\Users\user\AppData\Local\RageMP131\RageMP131.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Sync Extension Settings\fnjhmkhhmkbjkkabndcnnogagogbneec\CURRENT
                          Source: C:\Users\user\AppData\Local\RageMP131\RageMP131.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\fnjhmkhhmkbjkkabndcnnogagogbneec\CURRENT
                          Source: C:\Users\user\AppData\Local\RageMP131\RageMP131.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\hpglfhgfnhbgpjdenjgmdgoeiappafln\CURRENT
                          Source: C:\Users\user\AppData\Local\RageMP131\RageMP131.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\blnieiiffboillknjnepogjhkgnoapac\CURRENT
                          Source: C:\Users\user\AppData\Local\RageMP131\RageMP131.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\nhnkbkgjikgcigadomkphalanndcapjk\CURRENT
                          Source: C:\Users\user\AppData\Local\RageMP131\RageMP131.exeFile opened: C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\fqs92o4p.default-release\signons.sqlite
                          Source: C:\Users\user\AppData\Local\RageMP131\RageMP131.exeFile opened: C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\z6bny8rn.default\logins.json
                          Source: C:\Users\user\AppData\Local\RageMP131\RageMP131.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Sync Extension Settings\amkmjjmmflddogmhpjloimipbofnfjih\CURRENT
                          Source: C:\Users\user\AppData\Local\RageMP131\RageMP131.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Sync Extension Settings\nlbmnnijcnlegkjjpcfjclmcfggfefdm\CURRENT
                          Source: C:\Users\user\AppData\Local\RageMP131\RageMP131.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Sync Extension Settings\bhghoamapcdpbohphigoooaddinpkbai\CURRENT
                          Source: C:\Users\user\AppData\Local\RageMP131\RageMP131.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Sync Extension Settings\cphhlgmgameodnhkjdmkpanlelnlohao\CURRENT
                          Source: C:\Users\user\AppData\Local\RageMP131\RageMP131.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Sync Extension Settings\nkbihfbeogaeaoehlefnkodbefgpgknn\CURRENT
                          Source: C:\Users\user\AppData\Local\RageMP131\RageMP131.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Sync Extension Settings\nkddgncdjgjfcddamfgcmfnlhccnimig\CURRENT
                          Source: C:\Users\user\AppData\Local\RageMP131\RageMP131.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\cjelfplplebdjjenllpjcblmjkfcffne\CURRENT
                          Source: C:\Users\user\AppData\Local\RageMP131\RageMP131.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\bhghoamapcdpbohphigoooaddinpkbai\CURRENT
                          Source: C:\Users\user\AppData\Local\RageMP131\RageMP131.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Sync Extension Settings\nhnkbkgjikgcigadomkphalanndcapjk\CURRENT
                          Source: C:\Users\user\AppData\Local\RageMP131\RageMP131.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Sync Extension Settings\kpfopkelmapcoipemfendmdcghnegimn\CURRENT
                          Source: C:\Users\user\AppData\Local\RageMP131\RageMP131.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\nlbmnnijcnlegkjjpcfjclmcfggfefdm\CURRENT
                          Source: C:\Users\user\AppData\Local\RageMP131\RageMP131.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Sync Extension Settings\cjelfplplebdjjenllpjcblmjkfcffne\CURRENT
                          Tries to steal Mail credentials (via file / registry access)
                          Source: C:\Users\user\Desktop\dendy.exeFile opened: C:\Users\user\AppData\Roaming\Thunderbird\profiles.iniJump to behavior
                          Source: C:\Users\user\Desktop\dendy.exeFile opened: C:\Users\user\AppData\Roaming\Thunderbird\profiles.iniJump to behavior
                          Source: C:\Users\user\Desktop\dendy.exeKey opened: HKEY_CURRENT_USER\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676Jump to behavior
                          Source: C:\ProgramData\MPGPH131\MPGPH131.exeFile opened: C:\Users\user\AppData\Roaming\Thunderbird\profiles.iniJump to behavior
                          Source: C:\ProgramData\MPGPH131\MPGPH131.exeFile opened: C:\Users\user\AppData\Roaming\Thunderbird\profiles.iniJump to behavior
                          Source: C:\ProgramData\MPGPH131\MPGPH131.exeKey opened: HKEY_CURRENT_USER\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676Jump to behavior
                          Source: C:\ProgramData\MPGPH131\MPGPH131.exeFile opened: C:\Users\user\AppData\Roaming\Thunderbird\profiles.iniJump to behavior
                          Source: C:\ProgramData\MPGPH131\MPGPH131.exeFile opened: C:\Users\user\AppData\Roaming\Thunderbird\profiles.iniJump to behavior
                          Source: C:\ProgramData\MPGPH131\MPGPH131.exeKey opened: HKEY_CURRENT_USER\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676
                          Source: C:\Users\user\AppData\Local\RageMP131\RageMP131.exeFile opened: C:\Users\user\AppData\Roaming\Thunderbird\profiles.ini
                          Source: C:\Users\user\AppData\Local\RageMP131\RageMP131.exeFile opened: C:\Users\user\AppData\Roaming\Thunderbird\profiles.ini
                          Source: C:\Users\user\AppData\Local\RageMP131\RageMP131.exeKey opened: HKEY_CURRENT_USER\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676
                          Source: Yara matchFile source: 00000009.00000002.2342275444.0000000002EF2000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
                          Source: Yara matchFile source: 00000000.00000002.2500954846.0000000002EB5000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
                          Source: Yara matchFile source: 0000001A.00000002.2495191919.000000000312B000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
                          Source: Yara matchFile source: 00000000.00000003.2415846117.0000000002EB5000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
                          Source: Yara matchFile source: 00000008.00000002.2508595887.0000000002F92000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
                          Source: Yara matchFile source: Process Memory Space: dendy.exe PID: 7028, type: MEMORYSTR
                          Source: Yara matchFile source: Process Memory Space: MPGPH131.exe PID: 6688, type: MEMORYSTR
                          Source: Yara matchFile source: Process Memory Space: MPGPH131.exe PID: 6996, type: MEMORYSTR
                          Source: Yara matchFile source: Process Memory Space: RageMP131.exe PID: 5164, type: MEMORYSTR

                          Remote Access Functionality

                          barindex
                          Yara detected RisePro Stealer
                          Source: Yara matchFile source: 0.2.dendy.exe.400000.0.unpack, type: UNPACKEDPE
                          Source: Yara matchFile source: 8.2.MPGPH131.exe.4a60e67.1.raw.unpack, type: UNPACKEDPE
                          Source: Yara matchFile source: 26.2.RageMP131.exe.4a40e67.1.raw.unpack, type: UNPACKEDPE
                          Source: Yara matchFile source: 0.2.dendy.exe.4a80e67.1.raw.unpack, type: UNPACKEDPE
                          Source: Yara matchFile source: 26.2.RageMP131.exe.400000.0.unpack, type: UNPACKEDPE
                          Source: Yara matchFile source: 9.3.MPGPH131.exe.4bc0000.0.raw.unpack, type: UNPACKEDPE
                          Source: Yara matchFile source: 8.3.MPGPH131.exe.4bb0000.0.raw.unpack, type: UNPACKEDPE
                          Source: Yara matchFile source: 26.3.RageMP131.exe.4b90000.0.raw.unpack, type: UNPACKEDPE
                          Source: Yara matchFile source: 0.2.dendy.exe.400000.0.raw.unpack, type: UNPACKEDPE
                          Source: Yara matchFile source: 9.2.MPGPH131.exe.400000.0.raw.unpack, type: UNPACKEDPE
                          Source: Yara matchFile source: 8.2.MPGPH131.exe.400000.0.unpack, type: UNPACKEDPE
                          Source: Yara matchFile source: 26.2.RageMP131.exe.400000.0.raw.unpack, type: UNPACKEDPE
                          Source: Yara matchFile source: 9.2.MPGPH131.exe.4a70e67.1.raw.unpack, type: UNPACKEDPE
                          Source: Yara matchFile source: 0.3.dendy.exe.4bd0000.0.raw.unpack, type: UNPACKEDPE
                          Source: Yara matchFile source: 8.2.MPGPH131.exe.400000.0.raw.unpack, type: UNPACKEDPE
                          Source: Yara matchFile source: 9.2.MPGPH131.exe.400000.0.unpack, type: UNPACKEDPE
                          Source: Yara matchFile source: 00000008.00000002.2510972800.0000000007981000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
                          Source: Yara matchFile source: 0000001A.00000002.2495191919.000000000305E000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
                          Source: Yara matchFile source: 00000000.00000002.2501929485.0000000007984000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
                          Source: Yara matchFile source: 00000009.00000002.2343911888.00000000077F0000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
                          Source: Yara matchFile source: 00000000.00000003.2415493241.0000000007984000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
                          Source: Yara matchFile source: 0000001A.00000002.2496030568.0000000007920000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
                          Source: Yara matchFile source: 00000000.00000002.2502097335.000000000799A000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
                          Source: Yara matchFile source: 0000001A.00000002.2495613605.0000000004A40000.00000040.00001000.00020000.00000000.sdmp, type: MEMORY
                          Source: Yara matchFile source: 00000008.00000002.2510035968.0000000004A60000.00000040.00001000.00020000.00000000.sdmp, type: MEMORY
                          Source: Yara matchFile source: 00000000.00000003.2415760901.0000000007999000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
                          Source: Yara matchFile source: 00000000.00000003.2415493241.0000000007995000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
                          Source: Yara matchFile source: 00000009.00000002.2340303087.0000000000400000.00000040.00000001.01000000.00000005.sdmp, type: MEMORY
                          Source: Yara matchFile source: 00000000.00000002.2501387878.0000000004A80000.00000040.00001000.00020000.00000000.sdmp, type: MEMORY
                          Source: Yara matchFile source: 00000008.00000003.1754038237.0000000004BB0000.00000004.00001000.00020000.00000000.sdmp, type: MEMORY
                          Source: Yara matchFile source: 0000001A.00000002.2493907103.0000000000400000.00000040.00000001.01000000.00000006.sdmp, type: MEMORY
                          Source: Yara matchFile source: 00000009.00000003.1754837586.0000000004BC0000.00000004.00001000.00020000.00000000.sdmp, type: MEMORY
                          Source: Yara matchFile source: 00000000.00000002.2499170949.0000000000400000.00000040.00000001.01000000.00000003.sdmp, type: MEMORY
                          Source: Yara matchFile source: 00000000.00000003.1719048251.0000000004BD0000.00000004.00001000.00020000.00000000.sdmp, type: MEMORY
                          Source: Yara matchFile source: 0000001A.00000003.1896337586.0000000004B90000.00000004.00001000.00020000.00000000.sdmp, type: MEMORY
                          Source: Yara matchFile source: 00000009.00000002.2343384935.0000000004A70000.00000040.00001000.00020000.00000000.sdmp, type: MEMORY
                          Source: Yara matchFile source: 00000008.00000002.2506460203.0000000000400000.00000040.00000001.01000000.00000005.sdmp, type: MEMORY
                          Source: Yara matchFile source: Process Memory Space: dendy.exe PID: 7028, type: MEMORYSTR
                          Source: Yara matchFile source: Process Memory Space: MPGPH131.exe PID: 6688, type: MEMORYSTR
                          Source: Yara matchFile source: Process Memory Space: MPGPH131.exe PID: 6996, type: MEMORYSTR
                          Source: Yara matchFile source: Process Memory Space: RageMP131.exe PID: 5164, type: MEMORYSTR
                          Source: Yara matchFile source: C:\Users\user\AppData\Local\Temp\c9bTQaLpRNBVsUoe4pkuQMW.zip, type: DROPPED
                          Source: Yara matchFile source: C:\Users\user\AppData\Local\Temp\6XWWeAeVicQTZ7HrJgfaAa9.zip, type: DROPPED
                          Source: Yara matchFile source: C:\Users\user\AppData\Local\Temp\7SoGIg_Dgh61RYTHw6zemBp.zip, type: DROPPED

                          Mitre Att&ck Matrix

                          ReconnaissanceResource DevelopmentInitial AccessExecutionPersistencePrivilege EscalationDefense EvasionCredential AccessDiscoveryLateral MovementCollectionCommand and ControlExfiltrationImpact
                          Gather Victim Identity InformationAcquire InfrastructureValid Accounts22
                          Native API                          		1
                          DLL Side-Loading                          		1
                          DLL Side-Loading                          		1
                          Deobfuscate/Decode Files or Information                          		1
                          OS Credential Dumping                          		12
                          System Time Discovery                          		Remote Services1
                          Archive Collected Data                          		2
                          Ingress Tool Transfer                          		Exfiltration Over Other Network MediumAbuse Accessibility Features
                          CredentialsDomainsDefault Accounts2
                          Command and Scripting Interpreter                          		1
                          Scheduled Task/Job                          		11
                          Process Injection                          		2
                          Obfuscated Files or Information                          		LSASS Memory1
                          Account Discovery                          		Remote Desktop Protocol2
                          Data from Local System                          		21
                          Encrypted Channel                          		Exfiltration Over BluetoothNetwork Denial of Service
                          Email AddressesDNS ServerDomain Accounts1
                          Scheduled Task/Job                          		1
                          Registry Run Keys / Startup Folder                          		1
                          Scheduled Task/Job                          		2
                          Software Packing                          		Security Account Manager3
                          File and Directory Discovery                          		SMB/Windows Admin Shares1
                          Screen Capture                          		1
                          Non-Standard Port                          		Automated ExfiltrationData Encrypted for Impact
                          Employee NamesVirtual Private ServerLocal AccountsCronLogin Hook1
                          Registry Run Keys / Startup Folder                          		1
                          DLL Side-Loading                          		NTDS57
                          System Information Discovery                          		Distributed Component Object Model1
                          Email Collection                          		2
                          Non-Application Layer Protocol                          		Traffic DuplicationData Destruction
                          Gather Victim Network InformationServerCloud AccountsLaunchdNetwork Logon ScriptNetwork Logon Script1
                          Masquerading                          		LSA Secrets1
                          Query Registry                          		SSHKeylogging13
                          Application Layer Protocol                          		Scheduled TransferData Encrypted for Impact
                          Domain PropertiesBotnetReplication Through Removable MediaScheduled TaskRC ScriptsRC Scripts12
                          Virtualization/Sandbox Evasion                          		Cached Domain Credentials261
                          Security Software Discovery                          		VNCGUI Input CaptureMultiband CommunicationData Transfer Size LimitsService Stop
                          DNSWeb ServicesExternal Remote ServicesSystemd TimersStartup ItemsStartup Items11
                          Process Injection                          		DCSync12
                          Virtualization/Sandbox Evasion                          		Windows Remote ManagementWeb Portal CaptureCommonly Used PortExfiltration Over C2 ChannelInhibit System Recovery
                          Network Trust DependenciesServerlessDrive-by CompromiseContainer Orchestration JobScheduled Task/JobScheduled Task/JobIndicator Removal from ToolsProc Filesystem12
                          Process Discovery                          		Cloud ServicesCredential API HookingApplication Layer ProtocolExfiltration Over Alternative ProtocolDefacement
                          Network TopologyMalvertisingExploit Public-Facing ApplicationCommand and Scripting InterpreterAtAtHTML Smuggling/etc/passwd and /etc/shadow1
                          Application Window Discovery                          		Direct Cloud VM ConnectionsData StagedWeb ProtocolsExfiltration Over Symmetric Encrypted Non-C2 ProtocolInternal Defacement
                          IP AddressesCompromise InfrastructureSupply Chain CompromisePowerShellCronCronDynamic API ResolutionNetwork Sniffing1
                          System Owner/User Discovery                          		Shared WebrootLocal Data StagingFile Transfer ProtocolsExfiltration Over Asymmetric Encrypted Non-C2 ProtocolExternal Defacement
                          Network Security AppliancesDomainsCompromise Software Dependencies and Development ToolsAppleScriptLaunchdLaunchdStripped PayloadsInput Capture1
                          System Network Configuration Discovery                          		Software Deployment ToolsRemote Data StagingMail ProtocolsExfiltration Over Unencrypted Non-C2 ProtocolFirmware Corruption

                          Behavior Graph

                          Hide Legend

                          Legend:

                          • Process
                          • Signature
                          • Created File
                          • DNS/IP Info
                          • Is Dropped
                          • Is Windows Process
                          • Number of created Registry Values
                          • Number of created Files
                          • Visual Basic
                          • Delphi
                          • Java
                          • .Net C# or VB.NET
                          • C, C++ or other language
                          • Is malicious
                          • Internet
                          behaviorgraph top1 dnsIp2 2 Behavior Graph ID: 1427876 Sample: dendy.exe Startdate: 18/04/2024 Architecture: WINDOWS Score: 100 51 ipinfo.io 2->51 53 db-ip.com 2->53 61 Snort IDS alert for network traffic 2->61 63 Multi AV Scanner detection for domain / URL 2->63 65 Malicious sample detected (through community Yara rule) 2->65 67 7 other signatures 2->67 8 dendy.exe 1 62 2->8         started        13 MPGPH131.exe 49 2->13         started        15 RageMP131.exe 2->15         started        17 MPGPH131.exe 10 2->17         started        signatures3 process4 dnsIp5 55 147.45.47.93, 49730, 49731, 49732 FREE-NET-ASFREEnetEU Russian Federation 8->55 57 ipinfo.io 34.117.186.192, 443, 49733, 49740 GOOGLE-AS-APGoogleAsiaPacificPteLtdSG United States 8->57 59 db-ip.com 104.26.5.15, 443, 49735, 49743 CLOUDFLARENETUS United States 8->59 41 C:\Users\user\AppData\Local\...\RageMP131.exe, PE32 8->41 dropped 43 C:\ProgramData\MPGPH131\MPGPH131.exe, PE32 8->43 dropped 45 C:\Users\user\...\6XWWeAeVicQTZ7HrJgfaAa9.zip, Zip 8->45 dropped 69 Detected unpacking (changes PE section rights) 8->69 71 Detected unpacking (overwrites its own PE header) 8->71 73 Found evasive API chain (may stop execution after checking mutex) 8->73 85 5 other signatures 8->85 19 schtasks.exe 1 8->19         started        21 schtasks.exe 1 8->21         started        23 WerFault.exe 19 16 8->23         started        31 6 other processes 8->31 75 Antivirus detection for dropped file 13->75 77 Multi AV Scanner detection for dropped file 13->77 79 Contains functionality to check for running processes (XOR) 13->79 87 2 other signatures 13->87 25 WerFault.exe 13->25         started        33 2 other processes 13->33 47 C:\Users\user\...\c9bTQaLpRNBVsUoe4pkuQMW.zip, Zip 15->47 dropped 81 Tries to steal Mail credentials (via file / registry access) 15->81 83 Tries to harvest and steal browser information (history, passwords, etc) 15->83 27 WerFault.exe 15->27         started        49 C:\Users\user\...\7SoGIg_Dgh61RYTHw6zemBp.zip, Zip 17->49 dropped 29 WerFault.exe 17->29         started        35 3 other processes 17->35 file6 signatures7 process8 process9 37 conhost.exe 19->37         started        39 conhost.exe 21->39         started       

                          Screenshots

                          Thumbnails

                          This section contains all screenshots as thumbnails, including those not shown in the slideshow.


                          windows-stand

                          Antivirus, Machine Learning and Genetic Malware Detection

                          Initial Sample

                          SourceDetectionScannerLabelLink
                          dendy.exe83%ReversingLabsWin32.Trojan.Privateloader
                          dendy.exe71%VirustotalBrowse
                          dendy.exe100%AviraTR/AVI.AceCrypter.tzrgz
                          dendy.exe100%Joe Sandbox ML

                          Dropped Files

                          SourceDetectionScannerLabelLink
                          C:\ProgramData\MPGPH131\MPGPH131.exe100%AviraTR/AVI.AceCrypter.tzrgz
                          C:\ProgramData\MPGPH131\MPGPH131.exe100%Joe Sandbox ML
                          C:\ProgramData\MPGPH131\MPGPH131.exe83%ReversingLabsWin32.Trojan.Privateloader
                          C:\ProgramData\MPGPH131\MPGPH131.exe71%VirustotalBrowse
                          C:\Users\user\AppData\Local\RageMP131\RageMP131.exe83%ReversingLabsWin32.Trojan.Privateloader
                          C:\Users\user\AppData\Local\RageMP131\RageMP131.exe71%VirustotalBrowse

                          Unpacked PE Files

                          No Antivirus matches

                          Domains

                          No Antivirus matches

                          URLs

                          SourceDetectionScannerLabelLink
                          http://193.233.132.167/cost/lenin.exe100%URL Reputationmalware
                          http://147.45.47.102:57893/hera/amadka.exe15%VirustotalBrowse
                          http://147.45.47.102:57893/hera/amadka.exe68.015%VirustotalBrowse
                          http://193.233.132.167/cost/go.exe25%VirustotalBrowse

                          Domains and IPs

                          Contacted Domains

                          NameIPActiveMaliciousAntivirus DetectionReputation
                          ipinfo.io
                          		34.117.186.192
                          		truefalse
                            		high
                            db-ip.com
                            		104.26.5.15
                            		truefalse
                              		high

                              Contacted URLs

                              NameMaliciousAntivirus DetectionReputation
                              https://ipinfo.io/widget/demo/81.181.57.52false
                                		high
                                https://db-ip.com/demo/home.php?s=81.181.57.52false
                                  		high

                                  URLs from Memory and Binaries

                                  NameSourceMaliciousAntivirus DetectionReputation
                                  http://193.233.132.167/cost/lenin.exenesCHMPGPH131.exe, 00000009.00000002.2342275444.0000000002EF2000.00000004.00000020.00020000.00000000.sdmpfalse
                                    		unknown
                                    https://duckduckgo.com/chrome_newtabdendy.exe, 00000000.00000003.2190337967.00000000079D7000.00000004.00000020.00020000.00000000.sdmp, dendy.exe, 00000000.00000003.2185569564.00000000079BB000.00000004.00000020.00020000.00000000.sdmp, dendy.exe, 00000000.00000003.2186887342.00000000079CE000.00000004.00000020.00020000.00000000.sdmp, MPGPH131.exe, 00000008.00000003.2221361449.00000000079D9000.00000004.00000020.00020000.00000000.sdmp, MPGPH131.exe, 00000008.00000003.2217856798.00000000079A9000.00000004.00000020.00020000.00000000.sdmp, MPGPH131.exe, 00000008.00000003.2219324558.00000000079C9000.00000004.00000020.00020000.00000000.sdmp, MPGPH131.exe, 00000009.00000003.2208409406.0000000007866000.00000004.00000020.00020000.00000000.sdmp, MPGPH131.exe, 00000009.00000003.2210859373.0000000007883000.00000004.00000020.00020000.00000000.sdmp, MPGPH131.exe, 00000009.00000003.2207337910.0000000007843000.00000004.00000020.00020000.00000000.sdmp, RageMP131.exe, 0000001A.00000003.2254070104.00000000079A8000.00000004.00000020.00020000.00000000.sdmp, RageMP131.exe, 0000001A.00000003.2256092823.0000000007996000.00000004.00000020.00020000.00000000.sdmp, RageMP131.exe, 0000001A.00000003.2253005024.0000000007977000.00000004.00000020.00020000.00000000.sdmp, FDWjNP4RsRAAWeb Data.9.dr, xjqD6LmmUXwRWeb Data.26.dr, jivh3ZMPe0AVWeb Data.0.dr, UilUp13UfaxJWeb Data.0.dr, o47QYaSXnflcWeb Data.9.dr, 0SUQ0f15JMK7Web Data.26.dr, wUqBSbUei7PhWeb Data.0.dr, 2l02O9W1_FhwWeb Data.9.dr, NuTl_5zQHhB1Web Data.26.drfalse
                                      		high
                                      https://support.mozilla.org/products/firefoxgro.allizom.troppus.zvXrErQ5GYDFD87fZN3R3jFeplaces.sqlite.9.drfalse
                                        		high
                                        http://193.233.132.167/cost/lenin.exe.exe/HS2dendy.exe, 00000000.00000002.2501929485.0000000007968000.00000004.00000020.00020000.00000000.sdmpfalse
                                          		unknown
                                          http://147.45.47.102:57893/hera/amadka.exe6dendy.exe, 00000000.00000002.2500954846.0000000002EB5000.00000004.00000020.00020000.00000000.sdmp, dendy.exe, 00000000.00000003.2415846117.0000000002EB5000.00000004.00000020.00020000.00000000.sdmpfalse
                                            		unknown
                                            https://duckduckgo.com/ac/?q=dendy.exe, 00000000.00000003.2190337967.00000000079D7000.00000004.00000020.00020000.00000000.sdmp, dendy.exe, 00000000.00000003.2185569564.00000000079BB000.00000004.00000020.00020000.00000000.sdmp, dendy.exe, 00000000.00000003.2186887342.00000000079CE000.00000004.00000020.00020000.00000000.sdmp, MPGPH131.exe, 00000008.00000003.2221361449.00000000079D9000.00000004.00000020.00020000.00000000.sdmp, MPGPH131.exe, 00000008.00000003.2217856798.00000000079A9000.00000004.00000020.00020000.00000000.sdmp, MPGPH131.exe, 00000008.00000003.2219324558.00000000079C9000.00000004.00000020.00020000.00000000.sdmp, MPGPH131.exe, 00000009.00000003.2208409406.0000000007866000.00000004.00000020.00020000.00000000.sdmp, MPGPH131.exe, 00000009.00000003.2210859373.0000000007883000.00000004.00000020.00020000.00000000.sdmp, MPGPH131.exe, 00000009.00000003.2207337910.0000000007843000.00000004.00000020.00020000.00000000.sdmp, RageMP131.exe, 0000001A.00000003.2254070104.00000000079A8000.00000004.00000020.00020000.00000000.sdmp, RageMP131.exe, 0000001A.00000003.2256092823.0000000007996000.00000004.00000020.00020000.00000000.sdmp, RageMP131.exe, 0000001A.00000003.2253005024.0000000007977000.00000004.00000020.00020000.00000000.sdmp, FDWjNP4RsRAAWeb Data.9.dr, xjqD6LmmUXwRWeb Data.26.dr, jivh3ZMPe0AVWeb Data.0.dr, UilUp13UfaxJWeb Data.0.dr, o47QYaSXnflcWeb Data.9.dr, 0SUQ0f15JMK7Web Data.26.dr, wUqBSbUei7PhWeb Data.0.dr, 2l02O9W1_FhwWeb Data.9.dr, NuTl_5zQHhB1Web Data.26.drfalse
                                              		high
                                              https://t.me/RiseProSUPPORTqMPGPH131.exe, 00000008.00000002.2510972800.0000000007981000.00000004.00000020.00020000.00000000.sdmp, MPGPH131.exe, 00000009.00000002.2343911888.00000000077F0000.00000004.00000020.00020000.00000000.sdmpfalse
                                                		high
                                                http://193.233.132.167/cost/go.exeadka.exRageMP131.exe, 0000001A.00000003.2218615210.00000000030D4000.00000004.00000020.00020000.00000000.sdmp, RageMP131.exe, 0000001A.00000002.2495191919.00000000030D4000.00000004.00000020.00020000.00000000.sdmpfalse
                                                  		unknown
                                                  https://t.me/RiseProSUPPORTOU~RageMP131.exe, 0000001A.00000002.2496030568.0000000007920000.00000004.00000020.00020000.00000000.sdmpfalse
                                                    		high
                                                    https://t.me/RiseProSUPPORTnRageMP131.exe, 0000001A.00000002.2495191919.000000000305E000.00000004.00000020.00020000.00000000.sdmpfalse
                                                      		high
                                                      http://147.45.47.102:57893/hera/amadka.exedendy.exe, 00000000.00000002.2500954846.0000000002EB5000.00000004.00000020.00020000.00000000.sdmp, dendy.exe, 00000000.00000003.2415846117.0000000002EB5000.00000004.00000020.00020000.00000000.sdmp, MPGPH131.exe, 00000008.00000002.2508595887.0000000002F92000.00000004.00000020.00020000.00000000.sdmp, MPGPH131.exe, 00000009.00000002.2342275444.0000000002EF2000.00000004.00000020.00020000.00000000.sdmp, RageMP131.exe, 0000001A.00000003.2218615210.00000000030D4000.00000004.00000020.00020000.00000000.sdmp, RageMP131.exe, 0000001A.00000002.2495191919.00000000030D4000.00000004.00000020.00020000.00000000.sdmpfalseunknown
                                                      https://db-ip.com/demo/home.php?s=81MPGPH131.exe, 00000008.00000002.2508595887.0000000002F92000.00000004.00000020.00020000.00000000.sdmpfalse
                                                        		high
                                                        http://147.45.47.102:57893/hera/amadka.exe2MPGPH131.exe, 00000009.00000002.2342275444.0000000002EF2000.00000004.00000020.00020000.00000000.sdmpfalse
                                                          		unknown
                                                          http://147.45.47.102:57893/hera/amadka.exeCHMPGPH131.exe, 00000009.00000002.2342275444.0000000002EF2000.00000004.00000020.00020000.00000000.sdmpfalse
                                                            		unknown
                                                            https://db-ip.com/MPGPH131.exe, 00000009.00000003.2119466041.0000000002EF2000.00000004.00000020.00020000.00000000.sdmp, RageMP131.exe, 0000001A.00000003.2218615210.00000000030D4000.00000004.00000020.00020000.00000000.sdmp, RageMP131.exe, 0000001A.00000002.2495191919.00000000030D4000.00000004.00000020.00020000.00000000.sdmpfalse
                                                              		high
                                                              https://t.me/risepro_botrAdendy.exe, 00000000.00000002.2500954846.0000000002EB5000.00000004.00000020.00020000.00000000.sdmp, dendy.exe, 00000000.00000003.2415846117.0000000002EB5000.00000004.00000020.00020000.00000000.sdmpfalse
                                                                		high
                                                                http://147.45.47.102:57893/hera/amadka.exe68.0RageMP131.exe, 0000001A.00000003.2218615210.00000000030D4000.00000004.00000020.00020000.00000000.sdmp, RageMP131.exe, 0000001A.00000002.2495191919.00000000030D4000.00000004.00000020.00020000.00000000.sdmpfalseunknown
                                                                https://ch.search.yahoo.com/sugg/chrome?output=fxjson&appid=crmas&command=dendy.exe, 00000000.00000003.2190337967.00000000079D7000.00000004.00000020.00020000.00000000.sdmp, dendy.exe, 00000000.00000003.2185569564.00000000079BB000.00000004.00000020.00020000.00000000.sdmp, dendy.exe, 00000000.00000003.2186887342.00000000079CE000.00000004.00000020.00020000.00000000.sdmp, MPGPH131.exe, 00000008.00000003.2221361449.00000000079D9000.00000004.00000020.00020000.00000000.sdmp, MPGPH131.exe, 00000008.00000003.2217856798.00000000079A9000.00000004.00000020.00020000.00000000.sdmp, MPGPH131.exe, 00000008.00000003.2219324558.00000000079C9000.00000004.00000020.00020000.00000000.sdmp, MPGPH131.exe, 00000009.00000003.2208409406.0000000007866000.00000004.00000020.00020000.00000000.sdmp, MPGPH131.exe, 00000009.00000003.2210859373.0000000007883000.00000004.00000020.00020000.00000000.sdmp, MPGPH131.exe, 00000009.00000003.2207337910.0000000007843000.00000004.00000020.00020000.00000000.sdmp, RageMP131.exe, 0000001A.00000003.2254070104.00000000079A8000.00000004.00000020.00020000.00000000.sdmp, RageMP131.exe, 0000001A.00000003.2256092823.0000000007996000.00000004.00000020.00020000.00000000.sdmp, RageMP131.exe, 0000001A.00000003.2253005024.0000000007977000.00000004.00000020.00020000.00000000.sdmp, FDWjNP4RsRAAWeb Data.9.dr, xjqD6LmmUXwRWeb Data.26.dr, jivh3ZMPe0AVWeb Data.0.dr, UilUp13UfaxJWeb Data.0.dr, o47QYaSXnflcWeb Data.9.dr, 0SUQ0f15JMK7Web Data.26.dr, wUqBSbUei7PhWeb Data.0.dr, 2l02O9W1_FhwWeb Data.9.dr, NuTl_5zQHhB1Web Data.26.drfalse
                                                                  		high
                                                                  https://t.me/risepro_bottl;MPGPH131.exe, 00000008.00000002.2508595887.0000000002F92000.00000004.00000020.00020000.00000000.sdmpfalse
                                                                    		high
                                                                    https://support.office.com/article/94ba2e0b-638e-4a92-8857-2cb5ac1d8e17dendy.exe, 00000000.00000003.2186305953.00000000079AD000.00000004.00000020.00020000.00000000.sdmp, MPGPH131.exe, 00000008.00000003.2218273477.00000000079B8000.00000004.00000020.00020000.00000000.sdmp, MPGPH131.exe, 00000009.00000003.2210121788.0000000007862000.00000004.00000020.00020000.00000000.sdmp, RageMP131.exe, 0000001A.00000003.2253627094.0000000007986000.00000004.00000020.00020000.00000000.sdmp, RageMP131.exe, 0000001A.00000003.2255795866.0000000007985000.00000004.00000020.00020000.00000000.sdmp, xLkPmPbriQeYHistory.26.dr, hn0rI1Di9iTsHistory.0.dr, GrE_iBTQJdDJHistory.26.dr, fNgu77Rnk80sHistory.9.dr, 7QP8D56XEcyNHistory.9.dr, 9kIPQpaY4rvVHistory.0.drfalse
                                                                      		high
                                                                      https://t.me/RiseProSUPPORT117.0.2045.47dendy.exe, 00000000.00000002.2502097335.000000000799A000.00000004.00000020.00020000.00000000.sdmp, dendy.exe, 00000000.00000003.2415760901.0000000007999000.00000004.00000020.00020000.00000000.sdmp, dendy.exe, 00000000.00000003.2415493241.0000000007995000.00000004.00000020.00020000.00000000.sdmpfalse
                                                                        		high
                                                                        http://193.233.132.167/cost/go.exeMPGPH131.exe, 00000009.00000002.2342275444.0000000002EF2000.00000004.00000020.00020000.00000000.sdmp, RageMP131.exe, 0000001A.00000003.2218615210.00000000030D4000.00000004.00000020.00020000.00000000.sdmp, RageMP131.exe, 0000001A.00000002.2495191919.00000000030D4000.00000004.00000020.00020000.00000000.sdmpfalseunknown
                                                                        https://ipinfo.io/xMPGPH131.exe, 00000009.00000002.2342275444.0000000002E9D000.00000004.00000020.00020000.00000000.sdmpfalse
                                                                          		high
                                                                          https://t.me/RiseProSUPPORTVdendy.exe, 00000000.00000002.2501929485.0000000007984000.00000004.00000020.00020000.00000000.sdmp, dendy.exe, 00000000.00000003.2415493241.0000000007984000.00000004.00000020.00020000.00000000.sdmpfalse
                                                                            		high
                                                                            http://193.233.132.167/cost/go.exeisepro_botjMPGPH131.exe, 00000008.00000002.2508595887.0000000002F92000.00000004.00000020.00020000.00000000.sdmpfalse
                                                                              		unknown
                                                                              https://t.me/risepro_botDAdendy.exe, 00000000.00000002.2500954846.0000000002EB5000.00000004.00000020.00020000.00000000.sdmp, dendy.exe, 00000000.00000003.2415846117.0000000002EB5000.00000004.00000020.00020000.00000000.sdmpfalse
                                                                                		high
                                                                                https://ipinfo.io:443/widget/demo/81.181.57.52dendy.exe, 00000000.00000002.2500954846.0000000002EB5000.00000004.00000020.00020000.00000000.sdmp, dendy.exe, 00000000.00000003.2415846117.0000000002EB5000.00000004.00000020.00020000.00000000.sdmp, MPGPH131.exe, 00000008.00000002.2508595887.0000000002F86000.00000004.00000020.00020000.00000000.sdmp, MPGPH131.exe, 00000009.00000002.2342275444.0000000002EDA000.00000004.00000020.00020000.00000000.sdmp, RageMP131.exe, 0000001A.00000003.2218615210.00000000030D4000.00000004.00000020.00020000.00000000.sdmp, RageMP131.exe, 0000001A.00000002.2495191919.00000000030D4000.00000004.00000020.00020000.00000000.sdmpfalse
                                                                                  		high
                                                                                  https://db-ip.com/ZMrudendy.exe, 00000000.00000002.2500954846.0000000002EB5000.00000004.00000020.00020000.00000000.sdmp, dendy.exe, 00000000.00000003.2415846117.0000000002EB5000.00000004.00000020.00020000.00000000.sdmpfalse
                                                                                    		high
                                                                                    https://ipinfo.io/widget/demo/81.181.57.52ldendy.exe, 00000000.00000002.2500536171.0000000002E8A000.00000004.00000020.00020000.00000000.sdmpfalse
                                                                                      		high
                                                                                      https://support.office.com/article/94ba2e0b-638e-4a92-8857-2cb5ac1d8e17InstallxLkPmPbriQeYHistory.26.dr, hn0rI1Di9iTsHistory.0.dr, GrE_iBTQJdDJHistory.26.dr, fNgu77Rnk80sHistory.9.dr, 7QP8D56XEcyNHistory.9.dr, 9kIPQpaY4rvVHistory.0.drfalse
                                                                                        		high
                                                                                        https://ch.search.yahoo.com/favicon.icohttps://ch.search.yahoo.com/searchdendy.exe, 00000000.00000003.2190337967.00000000079D7000.00000004.00000020.00020000.00000000.sdmp, dendy.exe, 00000000.00000003.2185569564.00000000079BB000.00000004.00000020.00020000.00000000.sdmp, dendy.exe, 00000000.00000003.2186887342.00000000079CE000.00000004.00000020.00020000.00000000.sdmp, MPGPH131.exe, 00000008.00000003.2221361449.00000000079D9000.00000004.00000020.00020000.00000000.sdmp, MPGPH131.exe, 00000008.00000003.2217856798.00000000079A9000.00000004.00000020.00020000.00000000.sdmp, MPGPH131.exe, 00000008.00000003.2219324558.00000000079C9000.00000004.00000020.00020000.00000000.sdmp, MPGPH131.exe, 00000009.00000003.2208409406.0000000007866000.00000004.00000020.00020000.00000000.sdmp, MPGPH131.exe, 00000009.00000003.2210859373.0000000007883000.00000004.00000020.00020000.00000000.sdmp, MPGPH131.exe, 00000009.00000003.2207337910.0000000007843000.00000004.00000020.00020000.00000000.sdmp, RageMP131.exe, 0000001A.00000003.2254070104.00000000079A8000.00000004.00000020.00020000.00000000.sdmp, RageMP131.exe, 0000001A.00000003.2256092823.0000000007996000.00000004.00000020.00020000.00000000.sdmp, RageMP131.exe, 0000001A.00000003.2253005024.0000000007977000.00000004.00000020.00020000.00000000.sdmp, FDWjNP4RsRAAWeb Data.9.dr, xjqD6LmmUXwRWeb Data.26.dr, jivh3ZMPe0AVWeb Data.0.dr, UilUp13UfaxJWeb Data.0.dr, o47QYaSXnflcWeb Data.9.dr, 0SUQ0f15JMK7Web Data.26.dr, wUqBSbUei7PhWeb Data.0.dr, 2l02O9W1_FhwWeb Data.9.dr, NuTl_5zQHhB1Web Data.26.drfalse
                                                                                          		high
                                                                                          http://193.233.132.167/cost/go.exedka.exeuKRxMPGPH131.exe, 00000008.00000002.2510972800.0000000007967000.00000004.00000020.00020000.00000000.sdmpfalse
                                                                                            		unknown
                                                                                            http://193.233.132.167/cost/lenin.exeRageMP131.exe, 0000001A.00000003.2218615210.00000000030D4000.00000004.00000020.00020000.00000000.sdmp, RageMP131.exe, 0000001A.00000002.2495191919.00000000030D4000.00000004.00000020.00020000.00000000.sdmptrue
                                                                                            • URL Reputation: malware
                                                                                            		unknown
                                                                                            https://t.me/risepro_botriseproMPGPH131.exe, 00000008.00000002.2508595887.0000000002F92000.00000004.00000020.00020000.00000000.sdmpfalse
                                                                                              		high
                                                                                              http://193.233.132.167/cost/lenin.exeania)MPGPH131.exe, 00000009.00000002.2342275444.0000000002EF2000.00000004.00000020.00020000.00000000.sdmpfalse
                                                                                                		unknown
                                                                                                https://db-ip.com:443/demo/home.php?s=81.181.57.52sRageMP131.exe, 0000001A.00000003.2218615210.00000000030D4000.00000004.00000020.00020000.00000000.sdmp, RageMP131.exe, 0000001A.00000002.2495191919.00000000030D4000.00000004.00000020.00020000.00000000.sdmpfalse
                                                                                                  		high
                                                                                                  https://db-ip.com/demo/home.php?s=81.181.57.52AMPGPH131.exe, 00000008.00000002.2508595887.0000000002F6A000.00000004.00000020.00020000.00000000.sdmpfalse
                                                                                                    		high
                                                                                                    https://db-ip.com:443/demo/home.php?s=81.181.57.52dendy.exe, 00000000.00000002.2500954846.0000000002EB5000.00000004.00000020.00020000.00000000.sdmp, dendy.exe, 00000000.00000003.2415846117.0000000002EB5000.00000004.00000020.00020000.00000000.sdmp, MPGPH131.exe, 00000008.00000002.2508595887.0000000002F92000.00000004.00000020.00020000.00000000.sdmp, MPGPH131.exe, 00000009.00000002.2342275444.0000000002EF2000.00000004.00000020.00020000.00000000.sdmp, MPGPH131.exe, 00000009.00000003.2119466041.0000000002EF2000.00000004.00000020.00020000.00000000.sdmpfalse
                                                                                                      		high
                                                                                                      https://ipinfo.io/XMPGPH131.exe, 00000008.00000002.2508595887.0000000002F7D000.00000004.00000020.00020000.00000000.sdmpfalse
                                                                                                        		high
                                                                                                        https://ipinfo.io/widget/demo/81.181.57.52FRageMP131.exe, 0000001A.00000003.2218615210.00000000030D4000.00000004.00000020.00020000.00000000.sdmp, RageMP131.exe, 0000001A.00000002.2495191919.00000000030D4000.00000004.00000020.00020000.00000000.sdmpfalse
                                                                                                          		high
                                                                                                          https://www.google.com/images/branding/product/ico/googleg_lodp.icodendy.exe, 00000000.00000003.2190337967.00000000079D7000.00000004.00000020.00020000.00000000.sdmp, dendy.exe, 00000000.00000003.2185569564.00000000079BB000.00000004.00000020.00020000.00000000.sdmp, dendy.exe, 00000000.00000003.2186887342.00000000079CE000.00000004.00000020.00020000.00000000.sdmp, MPGPH131.exe, 00000008.00000003.2221361449.00000000079D9000.00000004.00000020.00020000.00000000.sdmp, MPGPH131.exe, 00000008.00000003.2217856798.00000000079A9000.00000004.00000020.00020000.00000000.sdmp, MPGPH131.exe, 00000008.00000003.2219324558.00000000079C9000.00000004.00000020.00020000.00000000.sdmp, MPGPH131.exe, 00000009.00000003.2208409406.0000000007866000.00000004.00000020.00020000.00000000.sdmp, MPGPH131.exe, 00000009.00000003.2210859373.0000000007883000.00000004.00000020.00020000.00000000.sdmp, MPGPH131.exe, 00000009.00000003.2207337910.0000000007843000.00000004.00000020.00020000.00000000.sdmp, RageMP131.exe, 0000001A.00000003.2254070104.00000000079A8000.00000004.00000020.00020000.00000000.sdmp, RageMP131.exe, 0000001A.00000003.2256092823.0000000007996000.00000004.00000020.00020000.00000000.sdmp, RageMP131.exe, 0000001A.00000003.2253005024.0000000007977000.00000004.00000020.00020000.00000000.sdmp, FDWjNP4RsRAAWeb Data.9.dr, xjqD6LmmUXwRWeb Data.26.dr, jivh3ZMPe0AVWeb Data.0.dr, UilUp13UfaxJWeb Data.0.dr, o47QYaSXnflcWeb Data.9.dr, 0SUQ0f15JMK7Web Data.26.dr, wUqBSbUei7PhWeb Data.0.dr, 2l02O9W1_FhwWeb Data.9.dr, NuTl_5zQHhB1Web Data.26.drfalse
                                                                                                            		high
                                                                                                            http://193.233.132.167/cost/lenin.exe192.168.0gAdendy.exe, 00000000.00000002.2500954846.0000000002EB5000.00000004.00000020.00020000.00000000.sdmp, dendy.exe, 00000000.00000003.2415846117.0000000002EB5000.00000004.00000020.00020000.00000000.sdmpfalse
                                                                                                              		unknown
                                                                                                              https://db-ip.com/demo/home.php?s=81.181.57.52dressdendy.exe, 00000000.00000002.2500954846.0000000002EB5000.00000004.00000020.00020000.00000000.sdmp, dendy.exe, 00000000.00000003.2415846117.0000000002EB5000.00000004.00000020.00020000.00000000.sdmpfalse
                                                                                                                		high
                                                                                                                https://ipinfo.io/https://www.maxmind.com/en/locate-my-ip-addressWs2_32.dlldendy.exe, 00000000.00000002.2501387878.0000000004A80000.00000040.00001000.00020000.00000000.sdmp, dendy.exe, 00000000.00000002.2499170949.0000000000400000.00000040.00000001.01000000.00000003.sdmp, dendy.exe, 00000000.00000003.1719048251.0000000004BD0000.00000004.00001000.00020000.00000000.sdmp, MPGPH131.exe, 00000008.00000002.2510035968.0000000004A60000.00000040.00001000.00020000.00000000.sdmp, MPGPH131.exe, 00000008.00000003.1754038237.0000000004BB0000.00000004.00001000.00020000.00000000.sdmp, MPGPH131.exe, 00000008.00000002.2506460203.0000000000400000.00000040.00000001.01000000.00000005.sdmp, MPGPH131.exe, 00000009.00000002.2340303087.0000000000400000.00000040.00000001.01000000.00000005.sdmp, MPGPH131.exe, 00000009.00000003.1754837586.0000000004BC0000.00000004.00001000.00020000.00000000.sdmp, MPGPH131.exe, 00000009.00000002.2343384935.0000000004A70000.00000040.00001000.00020000.00000000.sdmp, RageMP131.exe, 0000001A.00000002.2495613605.0000000004A40000.00000040.00001000.00020000.00000000.sdmp, RageMP131.exe, 0000001A.00000002.2493907103.0000000000400000.00000040.00000001.01000000.00000006.sdmp, RageMP131.exe, 0000001A.00000003.1896337586.0000000004B90000.00000004.00001000.00020000.00000000.sdmpfalse
                                                                                                                  		high
                                                                                                                  https://duckduckgo.com/favicon.icohttps://duckduckgo.com/?q=dendy.exe, 00000000.00000003.2190337967.00000000079D7000.00000004.00000020.00020000.00000000.sdmp, dendy.exe, 00000000.00000003.2185569564.00000000079BB000.00000004.00000020.00020000.00000000.sdmp, dendy.exe, 00000000.00000003.2186887342.00000000079CE000.00000004.00000020.00020000.00000000.sdmp, MPGPH131.exe, 00000008.00000003.2221361449.00000000079D9000.00000004.00000020.00020000.00000000.sdmp, MPGPH131.exe, 00000008.00000003.2217856798.00000000079A9000.00000004.00000020.00020000.00000000.sdmp, MPGPH131.exe, 00000008.00000003.2219324558.00000000079C9000.00000004.00000020.00020000.00000000.sdmp, MPGPH131.exe, 00000009.00000003.2208409406.0000000007866000.00000004.00000020.00020000.00000000.sdmp, MPGPH131.exe, 00000009.00000003.2210859373.0000000007883000.00000004.00000020.00020000.00000000.sdmp, MPGPH131.exe, 00000009.00000003.2207337910.0000000007843000.00000004.00000020.00020000.00000000.sdmp, RageMP131.exe, 0000001A.00000003.2254070104.00000000079A8000.00000004.00000020.00020000.00000000.sdmp, RageMP131.exe, 0000001A.00000003.2256092823.0000000007996000.00000004.00000020.00020000.00000000.sdmp, RageMP131.exe, 0000001A.00000003.2253005024.0000000007977000.00000004.00000020.00020000.00000000.sdmp, FDWjNP4RsRAAWeb Data.9.dr, xjqD6LmmUXwRWeb Data.26.dr, jivh3ZMPe0AVWeb Data.0.dr, UilUp13UfaxJWeb Data.0.dr, o47QYaSXnflcWeb Data.9.dr, 0SUQ0f15JMK7Web Data.26.dr, wUqBSbUei7PhWeb Data.0.dr, 2l02O9W1_FhwWeb Data.9.dr, NuTl_5zQHhB1Web Data.26.drfalse
                                                                                                                    		high
                                                                                                                    http://upx.sf.netAmcache.hve.7.drfalse
                                                                                                                      		high
                                                                                                                      https://t.me/RiseProSUPPORTdendy.exe, 00000000.00000002.2501929485.0000000007984000.00000004.00000020.00020000.00000000.sdmp, dendy.exe, 00000000.00000003.2415493241.0000000007984000.00000004.00000020.00020000.00000000.sdmp, dendy.exe, 00000000.00000002.2502097335.000000000799A000.00000004.00000020.00020000.00000000.sdmp, dendy.exe, 00000000.00000003.2415760901.0000000007999000.00000004.00000020.00020000.00000000.sdmp, dendy.exe, 00000000.00000003.2415493241.0000000007995000.00000004.00000020.00020000.00000000.sdmp, dendy.exe, 00000000.00000002.2500536171.0000000002E3E000.00000004.00000020.00020000.00000000.sdmp, MPGPH131.exe, 00000008.00000002.2510972800.0000000007981000.00000004.00000020.00020000.00000000.sdmp, MPGPH131.exe, 00000008.00000002.2508595887.0000000002F0E000.00000004.00000020.00020000.00000000.sdmp, MPGPH131.exe, 00000009.00000002.2342275444.0000000002E68000.00000004.00000020.00020000.00000000.sdmp, MPGPH131.exe, 00000009.00000002.2343911888.00000000077F0000.00000004.00000020.00020000.00000000.sdmp, RageMP131.exe, 0000001A.00000002.2495191919.000000000305E000.00000004.00000020.00020000.00000000.sdmp, RageMP131.exe, 0000001A.00000002.2496030568.0000000007920000.00000004.00000020.00020000.00000000.sdmp, c9bTQaLpRNBVsUoe4pkuQMW.zip.26.dr, 6XWWeAeVicQTZ7HrJgfaAa9.zip.0.dr, 7SoGIg_Dgh61RYTHw6zemBp.zip.9.drfalse
                                                                                                                        		high
                                                                                                                        https://support.office.com/article/7D48285B-20E8-4B9B-91AD-216E34163BAD?wt.mc_id=EnterPK2016dendy.exe, 00000000.00000003.2186305953.00000000079AD000.00000004.00000020.00020000.00000000.sdmp, MPGPH131.exe, 00000008.00000003.2218273477.00000000079B8000.00000004.00000020.00020000.00000000.sdmp, MPGPH131.exe, 00000009.00000003.2210121788.0000000007862000.00000004.00000020.00020000.00000000.sdmp, RageMP131.exe, 0000001A.00000003.2253627094.0000000007986000.00000004.00000020.00020000.00000000.sdmp, RageMP131.exe, 0000001A.00000003.2255795866.0000000007985000.00000004.00000020.00020000.00000000.sdmp, xLkPmPbriQeYHistory.26.dr, hn0rI1Di9iTsHistory.0.dr, GrE_iBTQJdDJHistory.26.dr, fNgu77Rnk80sHistory.9.dr, 7QP8D56XEcyNHistory.9.dr, 9kIPQpaY4rvVHistory.0.drfalse
                                                                                                                          		high
                                                                                                                          https://www.ecosia.org/newtab/dendy.exe, 00000000.00000003.2190337967.00000000079D7000.00000004.00000020.00020000.00000000.sdmp, dendy.exe, 00000000.00000003.2185569564.00000000079BB000.00000004.00000020.00020000.00000000.sdmp, dendy.exe, 00000000.00000003.2186887342.00000000079CE000.00000004.00000020.00020000.00000000.sdmp, MPGPH131.exe, 00000008.00000003.2221361449.00000000079D9000.00000004.00000020.00020000.00000000.sdmp, MPGPH131.exe, 00000008.00000003.2217856798.00000000079A9000.00000004.00000020.00020000.00000000.sdmp, MPGPH131.exe, 00000008.00000003.2219324558.00000000079C9000.00000004.00000020.00020000.00000000.sdmp, MPGPH131.exe, 00000009.00000003.2208409406.0000000007866000.00000004.00000020.00020000.00000000.sdmp, MPGPH131.exe, 00000009.00000003.2210859373.0000000007883000.00000004.00000020.00020000.00000000.sdmp, MPGPH131.exe, 00000009.00000003.2207337910.0000000007843000.00000004.00000020.00020000.00000000.sdmp, RageMP131.exe, 0000001A.00000003.2254070104.00000000079A8000.00000004.00000020.00020000.00000000.sdmp, RageMP131.exe, 0000001A.00000003.2256092823.0000000007996000.00000004.00000020.00020000.00000000.sdmp, RageMP131.exe, 0000001A.00000003.2253005024.0000000007977000.00000004.00000020.00020000.00000000.sdmp, FDWjNP4RsRAAWeb Data.9.dr, xjqD6LmmUXwRWeb Data.26.dr, jivh3ZMPe0AVWeb Data.0.dr, UilUp13UfaxJWeb Data.0.dr, o47QYaSXnflcWeb Data.9.dr, 0SUQ0f15JMK7Web Data.26.dr, wUqBSbUei7PhWeb Data.0.dr, 2l02O9W1_FhwWeb Data.9.dr, NuTl_5zQHhB1Web Data.26.drfalse
                                                                                                                            		high
                                                                                                                            https://ipinfo.io/Mozilla/5.0dendy.exe, 00000000.00000002.2500954846.0000000002EB5000.00000004.00000020.00020000.00000000.sdmp, dendy.exe, 00000000.00000003.2415846117.0000000002EB5000.00000004.00000020.00020000.00000000.sdmp, MPGPH131.exe, 00000008.00000002.2508595887.0000000002F86000.00000004.00000020.00020000.00000000.sdmp, MPGPH131.exe, 00000009.00000002.2342275444.0000000002EDA000.00000004.00000020.00020000.00000000.sdmp, MPGPH131.exe, 00000009.00000003.2119466041.0000000002EE1000.00000004.00000020.00020000.00000000.sdmp, RageMP131.exe, 0000001A.00000003.2218615210.00000000030D4000.00000004.00000020.00020000.00000000.sdmp, RageMP131.exe, 0000001A.00000002.2495191919.00000000030D4000.00000004.00000020.00020000.00000000.sdmpfalse
                                                                                                                              		high
                                                                                                                              https://support.mozilla.org/kb/customize-firefox-controls-buttons-and-toolbars?utm_source=firefox-brD87fZN3R3jFeplaces.sqlite.9.drfalse
                                                                                                                                		high
                                                                                                                                https://db-ip.com/GIGMPGPH131.exe, 00000008.00000002.2508595887.0000000002F92000.00000004.00000020.00020000.00000000.sdmpfalse
                                                                                                                                  		high
                                                                                                                                  https://t.me/risepro_bot1.181.57.52MPGPH131.exe, 00000008.00000002.2508595887.0000000002F92000.00000004.00000020.00020000.00000000.sdmpfalse
                                                                                                                                    		high
                                                                                                                                    https://t.me/risepro_botomaniadendy.exe, 00000000.00000002.2500954846.0000000002EB5000.00000004.00000020.00020000.00000000.sdmp, dendy.exe, 00000000.00000003.2415846117.0000000002EB5000.00000004.00000020.00020000.00000000.sdmp, MPGPH131.exe, 00000009.00000002.2342275444.0000000002EF2000.00000004.00000020.00020000.00000000.sdmp, MPGPH131.exe, 00000009.00000003.2119466041.0000000002EF2000.00000004.00000020.00020000.00000000.sdmpfalse
                                                                                                                                      		high
                                                                                                                                      https://ac.ecosia.org/autocomplete?q=dendy.exe, 00000000.00000003.2190337967.00000000079D7000.00000004.00000020.00020000.00000000.sdmp, dendy.exe, 00000000.00000003.2185569564.00000000079BB000.00000004.00000020.00020000.00000000.sdmp, dendy.exe, 00000000.00000003.2186887342.00000000079CE000.00000004.00000020.00020000.00000000.sdmp, MPGPH131.exe, 00000008.00000003.2221361449.00000000079D9000.00000004.00000020.00020000.00000000.sdmp, MPGPH131.exe, 00000008.00000003.2217856798.00000000079A9000.00000004.00000020.00020000.00000000.sdmp, MPGPH131.exe, 00000008.00000003.2219324558.00000000079C9000.00000004.00000020.00020000.00000000.sdmp, MPGPH131.exe, 00000009.00000003.2208409406.0000000007866000.00000004.00000020.00020000.00000000.sdmp, MPGPH131.exe, 00000009.00000003.2210859373.0000000007883000.00000004.00000020.00020000.00000000.sdmp, MPGPH131.exe, 00000009.00000003.2207337910.0000000007843000.00000004.00000020.00020000.00000000.sdmp, RageMP131.exe, 0000001A.00000003.2254070104.00000000079A8000.00000004.00000020.00020000.00000000.sdmp, RageMP131.exe, 0000001A.00000003.2256092823.0000000007996000.00000004.00000020.00020000.00000000.sdmp, RageMP131.exe, 0000001A.00000003.2253005024.0000000007977000.00000004.00000020.00020000.00000000.sdmp, FDWjNP4RsRAAWeb Data.9.dr, xjqD6LmmUXwRWeb Data.26.dr, jivh3ZMPe0AVWeb Data.0.dr, UilUp13UfaxJWeb Data.0.dr, o47QYaSXnflcWeb Data.9.dr, 0SUQ0f15JMK7Web Data.26.dr, wUqBSbUei7PhWeb Data.0.dr, 2l02O9W1_FhwWeb Data.9.dr, NuTl_5zQHhB1Web Data.26.drfalse
                                                                                                                                        		high
                                                                                                                                        https://ipinfo.io/8RageMP131.exe, 0000001A.00000002.2495191919.000000000308F000.00000004.00000020.00020000.00000000.sdmpfalse
                                                                                                                                          		high
                                                                                                                                          https://t.me/risepro_botRageMP131.exe, 0000001A.00000002.2495191919.00000000030D4000.00000004.00000020.00020000.00000000.sdmp, RageMP131.exe, 0000001A.00000003.2218615210.000000000312B000.00000004.00000020.00020000.00000000.sdmp, passwords.txt.9.dr, passwords.txt.0.dr, passwords.txt.26.drfalse
                                                                                                                                            		high
                                                                                                                                            http://193.233.132.167/cost/lenin.exe_tenant_idrRageMP131.exe, 0000001A.00000002.2496030568.0000000007967000.00000004.00000020.00020000.00000000.sdmpfalse
                                                                                                                                              		unknown
                                                                                                                                              https://db-ip.com/~RageMP131.exe, 0000001A.00000003.2218615210.00000000030D4000.00000004.00000020.00020000.00000000.sdmpfalse
                                                                                                                                                		high
                                                                                                                                                https://ipinfo.io/RageMP131.exe, 0000001A.00000002.2495191919.00000000030D4000.00000004.00000020.00020000.00000000.sdmpfalse
                                                                                                                                                  		high
                                                                                                                                                  http://193.233.132.167/cost/go.exehoin5MPGPH131.exe, 00000009.00000002.2342275444.0000000002EF2000.00000004.00000020.00020000.00000000.sdmpfalse
                                                                                                                                                    		unknown
                                                                                                                                                    https://www.maxmind.com/en/locate-my-ip-addressdendy.exe, MPGPH131.exefalse
                                                                                                                                                      		high
                                                                                                                                                      https://ipinfo.io/4dendy.exe, 00000000.00000002.2500954846.0000000002EAE000.00000004.00000020.00020000.00000000.sdmp, dendy.exe, 00000000.00000003.2415846117.0000000002EAD000.00000004.00000020.00020000.00000000.sdmpfalse
                                                                                                                                                        		high
                                                                                                                                                        https://t.me/risepro_botlateraQRageMP131.exe, 0000001A.00000003.2218615210.00000000030D4000.00000004.00000020.00020000.00000000.sdmp, RageMP131.exe, 0000001A.00000002.2495191919.00000000030D4000.00000004.00000020.00020000.00000000.sdmpfalse
                                                                                                                                                          		high
                                                                                                                                                          https://t.me/RiseProSUPPORTIvaRageMP131.exe, 0000001A.00000002.2496030568.0000000007920000.00000004.00000020.00020000.00000000.sdmpfalse
                                                                                                                                                            		high
                                                                                                                                                            http://www.winimage.com/zLibDlldendy.exe, dendy.exe, 00000000.00000002.2501387878.0000000004A80000.00000040.00001000.00020000.00000000.sdmp, dendy.exe, 00000000.00000002.2499170949.0000000000400000.00000040.00000001.01000000.00000003.sdmp, dendy.exe, 00000000.00000003.1719048251.0000000004BD0000.00000004.00001000.00020000.00000000.sdmp, MPGPH131.exe, MPGPH131.exe, 00000008.00000002.2510035968.0000000004A60000.00000040.00001000.00020000.00000000.sdmp, MPGPH131.exe, 00000008.00000003.1754038237.0000000004BB0000.00000004.00001000.00020000.00000000.sdmp, MPGPH131.exe, 00000008.00000002.2506460203.0000000000400000.00000040.00000001.01000000.00000005.sdmp, MPGPH131.exe, 00000009.00000002.2340303087.0000000000400000.00000040.00000001.01000000.00000005.sdmp, MPGPH131.exe, 00000009.00000003.1754837586.0000000004BC0000.00000004.00001000.00020000.00000000.sdmp, MPGPH131.exe, 00000009.00000002.2343384935.0000000004A70000.00000040.00001000.00020000.00000000.sdmp, RageMP131.exe, 0000001A.00000002.2495613605.0000000004A40000.00000040.00001000.00020000.00000000.sdmp, RageMP131.exe, 0000001A.00000002.2493907103.0000000000400000.00000040.00000001.01000000.00000006.sdmp, RageMP131.exe, 0000001A.00000003.1896337586.0000000004B90000.00000004.00001000.00020000.00000000.sdmpfalse
                                                                                                                                                              		high
                                                                                                                                                              https://support.mozilla.orgD87fZN3R3jFeplaces.sqlite.9.drfalse
                                                                                                                                                                		high
                                                                                                                                                                https://support.office.com/article/7D48285B-20E8-4B9B-91AD-216E34163BAD?wt.mc_id=EnterPK2016ExamplesxLkPmPbriQeYHistory.26.dr, hn0rI1Di9iTsHistory.0.dr, GrE_iBTQJdDJHistory.26.dr, fNgu77Rnk80sHistory.9.dr, 7QP8D56XEcyNHistory.9.dr, 9kIPQpaY4rvVHistory.0.drfalse
                                                                                                                                                                  		high
                                                                                                                                                                  https://cdn.ecosia.org/assets/images/ico/favicon.icohttps://www.ecosia.org/search?q=dendy.exe, 00000000.00000003.2190337967.00000000079D7000.00000004.00000020.00020000.00000000.sdmp, dendy.exe, 00000000.00000003.2185569564.00000000079BB000.00000004.00000020.00020000.00000000.sdmp, dendy.exe, 00000000.00000003.2186887342.00000000079CE000.00000004.00000020.00020000.00000000.sdmp, MPGPH131.exe, 00000008.00000003.2221361449.00000000079D9000.00000004.00000020.00020000.00000000.sdmp, MPGPH131.exe, 00000008.00000003.2217856798.00000000079A9000.00000004.00000020.00020000.00000000.sdmp, MPGPH131.exe, 00000008.00000003.2219324558.00000000079C9000.00000004.00000020.00020000.00000000.sdmp, MPGPH131.exe, 00000009.00000003.2208409406.0000000007866000.00000004.00000020.00020000.00000000.sdmp, MPGPH131.exe, 00000009.00000003.2210859373.0000000007883000.00000004.00000020.00020000.00000000.sdmp, MPGPH131.exe, 00000009.00000003.2207337910.0000000007843000.00000004.00000020.00020000.00000000.sdmp, RageMP131.exe, 0000001A.00000003.2254070104.00000000079A8000.00000004.00000020.00020000.00000000.sdmp, RageMP131.exe, 0000001A.00000003.2256092823.0000000007996000.00000004.00000020.00020000.00000000.sdmp, RageMP131.exe, 0000001A.00000003.2253005024.0000000007977000.00000004.00000020.00020000.00000000.sdmp, FDWjNP4RsRAAWeb Data.9.dr, xjqD6LmmUXwRWeb Data.26.dr, jivh3ZMPe0AVWeb Data.0.dr, UilUp13UfaxJWeb Data.0.dr, o47QYaSXnflcWeb Data.9.dr, 0SUQ0f15JMK7Web Data.26.dr, wUqBSbUei7PhWeb Data.0.dr, 2l02O9W1_FhwWeb Data.9.dr, NuTl_5zQHhB1Web Data.26.drfalse
                                                                                                                                                                    		high
                                                                                                                                                                    http://www.winimage.com/zLibDllDpRTpRdendy.exe, 00000000.00000002.2501387878.0000000004A80000.00000040.00001000.00020000.00000000.sdmp, dendy.exe, 00000000.00000002.2499170949.0000000000400000.00000040.00000001.01000000.00000003.sdmp, dendy.exe, 00000000.00000003.1719048251.0000000004BD0000.00000004.00001000.00020000.00000000.sdmp, MPGPH131.exe, 00000008.00000002.2510035968.0000000004A60000.00000040.00001000.00020000.00000000.sdmp, MPGPH131.exe, 00000008.00000003.1754038237.0000000004BB0000.00000004.00001000.00020000.00000000.sdmp, MPGPH131.exe, 00000008.00000002.2506460203.0000000000400000.00000040.00000001.01000000.00000005.sdmp, MPGPH131.exe, 00000009.00000002.2340303087.0000000000400000.00000040.00000001.01000000.00000005.sdmp, MPGPH131.exe, 00000009.00000003.1754837586.0000000004BC0000.00000004.00001000.00020000.00000000.sdmp, MPGPH131.exe, 00000009.00000002.2343384935.0000000004A70000.00000040.00001000.00020000.00000000.sdmp, RageMP131.exe, 0000001A.00000002.2495613605.0000000004A40000.00000040.00001000.00020000.00000000.sdmp, RageMP131.exe, 0000001A.00000002.2493907103.0000000000400000.00000040.00000001.01000000.00000006.sdmp, RageMP131.exe, 0000001A.00000003.1896337586.0000000004B90000.00000004.00001000.00020000.00000000.sdmpfalse
                                                                                                                                                                      		high

                                                                                                                                                                      World Map of Contacted IPs

                                                                                                                                                                      • No. of IPs < 25%
                                                                                                                                                                      • 25% < No. of IPs < 50%
                                                                                                                                                                      • 50% < No. of IPs < 75%
                                                                                                                                                                      • 75% < No. of IPs

                                                                                                                                                                      Public IPs

                                                                                                                                                                      IPDomainCountryFlagASNASN NameMalicious
                                                                                                                                                                      34.117.186.192
                                                                                                                                                                      		ipinfo.ioUnited States
                                                                                                                                                                      		139070GOOGLE-AS-APGoogleAsiaPacificPteLtdSGfalse
                                                                                                                                                                      147.45.47.93
                                                                                                                                                                      		unknownRussian Federation
                                                                                                                                                                      		2895FREE-NET-ASFREEnetEUtrue
                                                                                                                                                                      104.26.5.15
                                                                                                                                                                      		db-ip.comUnited States
                                                                                                                                                                      		13335CLOUDFLARENETUSfalse

                                                                                                                                                                      General Information

                                                                                                                                                                      Joe Sandbox version:40.0.0 Tourmaline
                                                                                                                                                                      Analysis ID:1427876
                                                                                                                                                                      Start date and time:2024-04-18 09:40:10 +02:00
                                                                                                                                                                      Joe Sandbox product:CloudBasic
                                                                                                                                                                      Overall analysis duration:0h 10m 33s
                                                                                                                                                                      Hypervisor based Inspection enabled:false
                                                                                                                                                                      Report type:full
                                                                                                                                                                      Cookbook file name:default.jbs
                                                                                                                                                                      Analysis system description:Windows 10 x64 22H2 with Office Professional Plus 2019, Chrome 117, Firefox 118, Adobe Reader DC 23, Java 8 Update 381, 7zip 23.01
                                                                                                                                                                      Number of analysed new started processes analysed:43
                                                                                                                                                                      Number of new started drivers analysed:0
                                                                                                                                                                      Number of existing processes analysed:0
                                                                                                                                                                      Number of existing drivers analysed:0
                                                                                                                                                                      Number of injected processes analysed:0
                                                                                                                                                                      Technologies:
                                                                                                                                                                      • HCA enabled
                                                                                                                                                                      • EGA enabled
                                                                                                                                                                      • AMSI enabled
                                                                                                                                                                      Analysis Mode:default
                                                                                                                                                                      Analysis stop reason:Timeout
                                                                                                                                                                      Sample name:dendy.exe
                                                                                                                                                                      Detection:MAL
                                                                                                                                                                      Classification:mal100.troj.spyw.evad.winEXE@24/129@2/3
                                                                                                                                                                      EGA Information:
                                                                                                                                                                      • Successful, ratio: 100%
                                                                                                                                                                      HCA Information:
                                                                                                                                                                      • Successful, ratio: 98%
                                                                                                                                                                      • Number of executed functions: 88
                                                                                                                                                                      • Number of non-executed functions: 0
                                                                                                                                                                      Cookbook Comments:
                                                                                                                                                                      • Found application associated with file extension: .exe

                                                                                                                                                                      Warnings

                                                                                                                                                                      • Exclude process from analysis (whitelisted): MpCmdRun.exe, WerFault.exe, SIHClient.exe, conhost.exe, svchost.exe
                                                                                                                                                                      • Excluded domains from analysis (whitelisted): ocsp.digicert.com, slscr.update.microsoft.com, login.live.com, ctldl.windowsupdate.com, umwatson.events.data.microsoft.com, fe3cr.delivery.mp.microsoft.com
                                                                                                                                                                      • Not all processes where analyzed, report is missing behavior information
                                                                                                                                                                      • Report creation exceeded maximum time and may have missing disassembly code information.
                                                                                                                                                                      • Report size exceeded maximum capacity and may have missing behavior information.
                                                                                                                                                                      • Report size exceeded maximum capacity and may have missing disassembly code.
                                                                                                                                                                      • Report size getting too big, too many NtCreateFile calls found.
                                                                                                                                                                      • Report size getting too big, too many NtOpenKeyEx calls found.
                                                                                                                                                                      • Report size getting too big, too many NtQueryValueKey calls found.

                                                                                                                                                                      Simulations

                                                                                                                                                                      Behavior and APIs

                                                                                                                                                                      TimeTypeDescription
                                                                                                                                                                      08:41:08Task SchedulerRun new task: MPGPH131 HR path: C:\ProgramData\MPGPH131\MPGPH131.exe
                                                                                                                                                                      08:41:08Task SchedulerRun new task: MPGPH131 LG path: C:\ProgramData\MPGPH131\MPGPH131.exe
                                                                                                                                                                      09:41:11AutostartRun: HKCU\Software\Microsoft\Windows\CurrentVersion\Run RageMP131 C:\Users\user\AppData\Local\RageMP131\RageMP131.exe
                                                                                                                                                                      09:41:22AutostartRun: HKCU64\Software\Microsoft\Windows\CurrentVersion\Run RageMP131 C:\Users\user\AppData\Local\RageMP131\RageMP131.exe

                                                                                                                                                                      Joe Sandbox View / Context

                                                                                                                                                                      IPs

                                                                                                                                                                      MatchAssociated Sample Name / URLSHA 256DetectionThreat NameLinkContext
                                                                                                                                                                      34.117.186.192SecuriteInfo.com.Win32.Evo-gen.24318.16217.exeGet hashmaliciousUnknownBrowse
                                                                                                                                                                      • ipinfo.io/json
                                                                                                                                                                      SecuriteInfo.com.Win32.Evo-gen.28489.31883.exeGet hashmaliciousUnknownBrowse
                                                                                                                                                                      • ipinfo.io/json
                                                                                                                                                                      Raptor.HardwareService.Setup 1.msiGet hashmaliciousUnknownBrowse
                                                                                                                                                                      • ipinfo.io/ip
                                                                                                                                                                      Conferma_Pdf_Editor.exeGet hashmaliciousPlanet StealerBrowse
                                                                                                                                                                      • ipinfo.io/
                                                                                                                                                                      Conferma_Pdf_Editor.exeGet hashmaliciousPlanet StealerBrowse
                                                                                                                                                                      • ipinfo.io/
                                                                                                                                                                      w.shGet hashmaliciousXmrigBrowse
                                                                                                                                                                      • /ip
                                                                                                                                                                      Raptor.HardwareService.Setup_2.3.6.0.msiGet hashmaliciousUnknownBrowse
                                                                                                                                                                      • ipinfo.io/ip
                                                                                                                                                                      Raptor.HardwareService.Setup_2.3.6.0.msiGet hashmaliciousUnknownBrowse
                                                                                                                                                                      • ipinfo.io/ip
                                                                                                                                                                      uUsgzQ3DoW.exeGet hashmaliciousRedLineBrowse
                                                                                                                                                                      • ipinfo.io/ip
                                                                                                                                                                      8BZBgbeCcz.exeGet hashmaliciousRedLineBrowse
                                                                                                                                                                      • ipinfo.io/ip
                                                                                                                                                                      147.45.47.93Q73YlTAmWe.exeGet hashmaliciousRisePro StealerBrowse
                                                                                                                                                                        file.exeGet hashmaliciousRisePro StealerBrowse
                                                                                                                                                                          7AdIyN5s2K.exeGet hashmaliciousRisePro StealerBrowse
                                                                                                                                                                            YUoiqJo8Sk.exeGet hashmaliciousRisePro StealerBrowse
                                                                                                                                                                              JR58WqLhRl.exeGet hashmaliciousRisePro StealerBrowse
                                                                                                                                                                                file.exeGet hashmaliciousRisePro StealerBrowse
                                                                                                                                                                                  SecuriteInfo.com.Trojan.Siggen28.25504.27914.23637.exeGet hashmaliciousGlupteba, LummaC Stealer, Mars Stealer, PureLog Stealer, RedLine, RisePro Stealer, SmokeLoaderBrowse
                                                                                                                                                                                    I44O512o10.exeGet hashmaliciousRisePro StealerBrowse
                                                                                                                                                                                      Jt0SXpowC4.exeGet hashmaliciousRisePro StealerBrowse
                                                                                                                                                                                        oZ8kX4OA5q.exeGet hashmaliciousRisePro StealerBrowse
                                                                                                                                                                                          104.26.5.15SecuriteInfo.com.Win64.Evo-gen.17494.7440.exeGet hashmaliciousUnknownBrowse
                                                                                                                                                                                          • api.db-ip.com/v2/free/127.0.0.1
                                                                                                                                                                                          Nemty.exeGet hashmaliciousNemtyBrowse
                                                                                                                                                                                          • api.db-ip.com/v2/free/84.17.52.2/countryName
                                                                                                                                                                                          227.exeGet hashmaliciousNemtyBrowse
                                                                                                                                                                                          • api.db-ip.com/v2/free/102.129.143.40/countryName

                                                                                                                                                                                          Domains

                                                                                                                                                                                          MatchAssociated Sample Name / URLSHA 256DetectionThreat NameLinkContext
                                                                                                                                                                                          ipinfo.ioSp#U251c#U0434ti.exeGet hashmaliciousUnknownBrowse
                                                                                                                                                                                          • 34.117.186.192
                                                                                                                                                                                          EpsilonFruit.exeGet hashmaliciousPafishBrowse
                                                                                                                                                                                          • 34.117.186.192
                                                                                                                                                                                          Q73YlTAmWe.exeGet hashmaliciousRisePro StealerBrowse
                                                                                                                                                                                          • 34.117.186.192
                                                                                                                                                                                          file.exeGet hashmaliciousRisePro StealerBrowse
                                                                                                                                                                                          • 34.117.186.192
                                                                                                                                                                                          BetaUnfrated.exeGet hashmaliciousPafishBrowse
                                                                                                                                                                                          • 34.117.186.192
                                                                                                                                                                                          nsis-installer.exeGet hashmaliciousUnknownBrowse
                                                                                                                                                                                          • 34.117.186.192
                                                                                                                                                                                          nsis-installer.exeGet hashmaliciousUnknownBrowse
                                                                                                                                                                                          • 34.117.186.192
                                                                                                                                                                                          file.exeGet hashmaliciousClipboard Hijacker, RisePro StealerBrowse
                                                                                                                                                                                          • 34.117.186.192
                                                                                                                                                                                          SecuriteInfo.com.FileRepMalware.18165.2747.exeGet hashmaliciousUnknownBrowse
                                                                                                                                                                                          • 34.117.186.192
                                                                                                                                                                                          SecuriteInfo.com.FileRepMalware.18165.2747.exeGet hashmaliciousUnknownBrowse
                                                                                                                                                                                          • 34.117.186.192
                                                                                                                                                                                          db-ip.comQ73YlTAmWe.exeGet hashmaliciousRisePro StealerBrowse
                                                                                                                                                                                          • 104.26.4.15
                                                                                                                                                                                          file.exeGet hashmaliciousRisePro StealerBrowse
                                                                                                                                                                                          • 104.26.4.15
                                                                                                                                                                                          file.exeGet hashmaliciousClipboard Hijacker, RisePro StealerBrowse
                                                                                                                                                                                          • 172.67.75.166
                                                                                                                                                                                          7AdIyN5s2K.exeGet hashmaliciousRisePro StealerBrowse
                                                                                                                                                                                          • 104.26.5.15
                                                                                                                                                                                          file.exeGet hashmaliciousRisePro StealerBrowse
                                                                                                                                                                                          • 104.26.5.15
                                                                                                                                                                                          file.exeGet hashmaliciousClipboard Hijacker, RisePro StealerBrowse
                                                                                                                                                                                          • 104.26.5.15
                                                                                                                                                                                          YUoiqJo8Sk.exeGet hashmaliciousRisePro StealerBrowse
                                                                                                                                                                                          • 104.26.5.15
                                                                                                                                                                                          JR58WqLhRl.exeGet hashmaliciousRisePro StealerBrowse
                                                                                                                                                                                          • 104.26.4.15
                                                                                                                                                                                          TANQUIVUIA.exeGet hashmaliciousLummaC, RisePro StealerBrowse
                                                                                                                                                                                          • 172.67.75.166
                                                                                                                                                                                          file.exeGet hashmaliciousRisePro StealerBrowse
                                                                                                                                                                                          • 104.26.4.15

                                                                                                                                                                                          ASNs

                                                                                                                                                                                          MatchAssociated Sample Name / URLSHA 256DetectionThreat NameLinkContext
                                                                                                                                                                                          GOOGLE-AS-APGoogleAsiaPacificPteLtdSGSp#U251c#U0434ti.exeGet hashmaliciousUnknownBrowse
                                                                                                                                                                                          • 34.117.186.192
                                                                                                                                                                                          SecuriteInfo.com.Win64.CrypterX-gen.2144.26023.exeGet hashmaliciousGlupteba, PureLog Stealer, zgRATBrowse
                                                                                                                                                                                          • 34.117.186.192
                                                                                                                                                                                          EpsilonFruit.exeGet hashmaliciousPafishBrowse
                                                                                                                                                                                          • 34.117.186.192
                                                                                                                                                                                          Q73YlTAmWe.exeGet hashmaliciousRisePro StealerBrowse
                                                                                                                                                                                          • 34.117.186.192
                                                                                                                                                                                          file.exeGet hashmaliciousRisePro StealerBrowse
                                                                                                                                                                                          • 34.117.186.192
                                                                                                                                                                                          http://www.indeks.pt/Get hashmaliciousUnknownBrowse
                                                                                                                                                                                          • 34.117.198.124
                                                                                                                                                                                          BetaUnfrated.exeGet hashmaliciousPafishBrowse
                                                                                                                                                                                          • 34.117.186.192
                                                                                                                                                                                          nsis-installer.exeGet hashmaliciousUnknownBrowse
                                                                                                                                                                                          • 34.117.186.192
                                                                                                                                                                                          nsis-installer.exeGet hashmaliciousUnknownBrowse
                                                                                                                                                                                          • 34.117.186.192
                                                                                                                                                                                          file.exeGet hashmaliciousClipboard Hijacker, RisePro StealerBrowse
                                                                                                                                                                                          • 34.117.186.192
                                                                                                                                                                                          FREE-NET-ASFREEnetEUSecuriteInfo.com.Win64.CrypterX-gen.2144.26023.exeGet hashmaliciousGlupteba, PureLog Stealer, zgRATBrowse
                                                                                                                                                                                          • 193.233.132.175
                                                                                                                                                                                          Q73YlTAmWe.exeGet hashmaliciousRisePro StealerBrowse
                                                                                                                                                                                          • 147.45.47.93
                                                                                                                                                                                          file.exeGet hashmaliciousRisePro StealerBrowse
                                                                                                                                                                                          • 147.45.47.93
                                                                                                                                                                                          https://casestudybuddy.comGet hashmaliciousUnknownBrowse
                                                                                                                                                                                          • 147.45.47.87
                                                                                                                                                                                          PBZcC2ge1z.exeGet hashmaliciousPureLog Stealer, RHADAMANTHYSBrowse
                                                                                                                                                                                          • 147.45.77.238
                                                                                                                                                                                          file.exeGet hashmaliciousClipboard Hijacker, RisePro StealerBrowse
                                                                                                                                                                                          • 193.233.132.175
                                                                                                                                                                                          7AdIyN5s2K.exeGet hashmaliciousRisePro StealerBrowse
                                                                                                                                                                                          • 147.45.47.93
                                                                                                                                                                                          file.exeGet hashmaliciousClipboard Hijacker, RisePro StealerBrowse
                                                                                                                                                                                          • 193.233.132.175
                                                                                                                                                                                          YUoiqJo8Sk.exeGet hashmaliciousRisePro StealerBrowse
                                                                                                                                                                                          • 147.45.47.93
                                                                                                                                                                                          JR58WqLhRl.exeGet hashmaliciousRisePro StealerBrowse
                                                                                                                                                                                          • 147.45.47.93
                                                                                                                                                                                          CLOUDFLARENETUS5Dw2hTQmiB.exeGet hashmaliciousLummaCBrowse
                                                                                                                                                                                          • 104.21.44.10
                                                                                                                                                                                          Purchase Order PDF.exeGet hashmaliciousAgentTeslaBrowse
                                                                                                                                                                                          • 104.26.13.205
                                                                                                                                                                                          file.exeGet hashmaliciousLummaCBrowse
                                                                                                                                                                                          • 104.21.44.10
                                                                                                                                                                                          Leoch-Purchase Order.exeGet hashmaliciousAgentTeslaBrowse
                                                                                                                                                                                          • 172.67.74.152
                                                                                                                                                                                          p silp AI240190.pdf.exeGet hashmaliciousAgentTeslaBrowse
                                                                                                                                                                                          • 104.26.12.205
                                                                                                                                                                                          https://ortelia.com/Downloads/Curator/CuratorSetup.exeGet hashmaliciousHavocBrowse
                                                                                                                                                                                          • 1.1.1.1
                                                                                                                                                                                          https://app.esign.docusign.com/e/er?utm_campaign=GBL_XX_DBU_NEW_2307_FreetoTrialUnlock_Email1AU&utm_medium=email&utm_source=Eloqua&elqCampaignId=29542&s=566810826&lid=32871&elqTrackId=1034fb987fd44c9a9a4d0833ff06a55d&elq=89d72859fe264966a0176d4309dbb1a6&elqaid=60251&elqat=1Get hashmaliciousUnknownBrowse
                                                                                                                                                                                          • 172.64.151.101
                                                                                                                                                                                          https://ortelia.com/download-ortelia-curator/Get hashmaliciousHavocBrowse
                                                                                                                                                                                          • 1.1.1.1
                                                                                                                                                                                          SecuriteInfo.com.Win32.PWSX-gen.1728.1300.exeGet hashmaliciousAgentTeslaBrowse
                                                                                                                                                                                          • 104.26.12.205
                                                                                                                                                                                          SecuriteInfo.com.Heur.15333.25205.exeGet hashmaliciousAgentTeslaBrowse
                                                                                                                                                                                          • 172.67.74.152

                                                                                                                                                                                          JA3 Fingerprints

                                                                                                                                                                                          MatchAssociated Sample Name / URLSHA 256DetectionThreat NameLinkContext
                                                                                                                                                                                          a0e9f5d64349fb13191bc781f81f42e15Dw2hTQmiB.exeGet hashmaliciousLummaCBrowse
                                                                                                                                                                                          • 104.26.5.15
                                                                                                                                                                                          • 34.117.186.192
                                                                                                                                                                                          Quotation 20241804.exeGet hashmaliciousRemcos, DBatLoaderBrowse
                                                                                                                                                                                          • 104.26.5.15
                                                                                                                                                                                          • 34.117.186.192
                                                                                                                                                                                          file.exeGet hashmaliciousLummaCBrowse
                                                                                                                                                                                          • 104.26.5.15
                                                                                                                                                                                          • 34.117.186.192
                                                                                                                                                                                          ORDER-CONFIRMATION-DETAILS-000235374564.cmdGet hashmaliciousAgentTesla, DBatLoader, PureLog Stealer, RedLineBrowse
                                                                                                                                                                                          • 104.26.5.15
                                                                                                                                                                                          • 34.117.186.192
                                                                                                                                                                                          file.exeGet hashmaliciousLummaCBrowse
                                                                                                                                                                                          • 104.26.5.15
                                                                                                                                                                                          • 34.117.186.192
                                                                                                                                                                                          payload.jsGet hashmaliciousUnknownBrowse
                                                                                                                                                                                          • 104.26.5.15
                                                                                                                                                                                          • 34.117.186.192
                                                                                                                                                                                          payload.jsGet hashmaliciousUnknownBrowse
                                                                                                                                                                                          • 104.26.5.15
                                                                                                                                                                                          • 34.117.186.192
                                                                                                                                                                                          file.exeGet hashmaliciousLummaCBrowse
                                                                                                                                                                                          • 104.26.5.15
                                                                                                                                                                                          • 34.117.186.192
                                                                                                                                                                                          SecuriteInfo.com.Win32.RATX-gen.12024.12837.exeGet hashmaliciousRemcos, DBatLoaderBrowse
                                                                                                                                                                                          • 104.26.5.15
                                                                                                                                                                                          • 34.117.186.192
                                                                                                                                                                                          forcedelctl.dllGet hashmaliciousUnknownBrowse
                                                                                                                                                                                          • 104.26.5.15
                                                                                                                                                                                          • 34.117.186.192

                                                                                                                                                                                          Dropped Files

                                                                                                                                                                                          No context

                                                                                                                                                                                          Created / dropped Files

                                                                                                                                                                                          C:\ProgramData\MPGPH131\MPGPH131.exe

                                                                                                                                                                                          Download File
                                                                                                                                                                                          Process:C:\Users\user\Desktop\dendy.exe
                                                                                                                                                                                          File Type:PE32 executable (GUI) Intel 80386, for MS Windows
                                                                                                                                                                                          Category:dropped
                                                                                                                                                                                          Size (bytes):909312
                                                                                                                                                                                          Entropy (8bit):7.543718231589517
                                                                                                                                                                                          Encrypted:false
                                                                                                                                                                                          SSDEEP:12288:nrpWNztODIkpIKLFkXLWR4ICfCjDmEtx9YGk5gtB2f1pnYbn+Bnd+WDbLEa:1ZIkqKz4/fa6SId229Gb+z+2LEa
                                                                                                                                                                                          MD5:446F080CD1ED262B4DD0C1FF2143297E
                                                                                                                                                                                          SHA1:B958C52622A02D7ED530F6D41A7E7C24A27F7918
                                                                                                                                                                                          SHA-256:A211901DEA69EAB959B9E47A6276BA7F363B6857687C410ADCAF56135586B7EA
                                                                                                                                                                                          SHA-512:B176604CB47C789B42DB3119DF7480B5B25C126682CC6AD769D963B1CAB228DA0DB277C1B007365962DA89D62657EE01CD5C153FEC00D2FB1AFE312B9D6488DE
                                                                                                                                                                                          Malicious:true
                                                                                                                                                                                          Antivirus:
                                                                                                                                                                                          • Antivirus: Avira, Detection: 100%
                                                                                                                                                                                          • Antivirus: Joe Sandbox ML, Detection: 100%
                                                                                                                                                                                          • Antivirus: ReversingLabs, Detection: 83%
                                                                                                                                                                                          • Antivirus: Virustotal, Detection: 71%, Browse
                                                                                                                                                                                          Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$........:.D.[...[...[....+..[....=..[....:..[.......[...[...[....4..[....*..[..../..[..Rich.[..........................PE..L...$..d............................A.............@.................................*t......................................|...(.... ......................................................H...........@............................................text...}........................... ..`.rdata..P...........................@..@.data.....~......"..................@....tls................................@....rsrc........ ......................@..@........................................................................................................................................................................................................................................................................................................................

                                                                                                                                                                                          C:\ProgramData\MPGPH131\MPGPH131.exe:Zone.Identifier

                                                                                                                                                                                          Download File
                                                                                                                                                                                          Process:C:\Users\user\Desktop\dendy.exe
                                                                                                                                                                                          File Type:ASCII text, with CRLF line terminators
                                                                                                                                                                                          Category:dropped
                                                                                                                                                                                          Size (bytes):26
                                                                                                                                                                                          Entropy (8bit):3.95006375643621
                                                                                                                                                                                          Encrypted:false
                                                                                                                                                                                          SSDEEP:3:ggPYV:rPYV
                                                                                                                                                                                          MD5:187F488E27DB4AF347237FE461A079AD
                                                                                                                                                                                          SHA1:6693BA299EC1881249D59262276A0D2CB21F8E64
                                                                                                                                                                                          SHA-256:255A65D30841AB4082BD9D0EEA79D49C5EE88F56136157D8D6156AEF11C12309
                                                                                                                                                                                          SHA-512:89879F237C0C051EBE784D0690657A6827A312A82735DA42DAD5F744D734FC545BEC9642C19D14C05B2F01FF53BC731530C92F7327BB7DC9CDE1B60FB21CD64E
                                                                                                                                                                                          Malicious:false
                                                                                                                                                                                          Preview:[ZoneTransfer]....ZoneId=0

                                                                                                                                                                                          C:\ProgramData\Microsoft\Windows\WER\ReportQueue\AppCrash_MPGPH131.exe_8da9ded6fcd3711f80e32889caff945e9691e_62a9ba1a_24a29007-21d3-42b0-b4aa-a502308dbc55\Report.wer

                                                                                                                                                                                          Download File
                                                                                                                                                                                          Process:C:\Windows\SysWOW64\WerFault.exe
                                                                                                                                                                                          File Type:Unicode text, UTF-16, little-endian text, with CRLF line terminators
                                                                                                                                                                                          Category:dropped
                                                                                                                                                                                          Size (bytes):65536
                                                                                                                                                                                          Entropy (8bit):0.9362136584930133
                                                                                                                                                                                          Encrypted:false
                                                                                                                                                                                          SSDEEP:192:GpBynzw8b3056r96E6jjC+ZrVszuiFhZ24IO8oj6t9i:4wwmE56rwjezuiFhY4IO8L
                                                                                                                                                                                          MD5:9940E079D8A4C38B46CB3121E0B4784D
                                                                                                                                                                                          SHA1:14FD178D2BD0FFB881087F3689249364961896E0
                                                                                                                                                                                          SHA-256:431ECF47E959F2F3FDF570C5CEB163496A35D78780C3E3AE9DC977F59F8918FE
                                                                                                                                                                                          SHA-512:F5A164069095C6BC45EDCA0BF8DA448EAD726DE1FBBE1E35F953D17399E528E89B1EFBA4B1F5922507AF51E5F49541A6F0745471E996AB60AB11853952EE43D3
                                                                                                                                                                                          Malicious:false
                                                                                                                                                                                          Preview:..V.e.r.s.i.o.n.=.1.....E.v.e.n.t.T.y.p.e.=.A.P.P.C.R.A.S.H.....E.v.e.n.t.T.i.m.e.=.1.3.3.5.7.8.9.9.6.8.5.8.7.0.3.9.7.1.....R.e.p.o.r.t.T.y.p.e.=.2.....C.o.n.s.e.n.t.=.1.....R.e.p.o.r.t.I.d.e.n.t.i.f.i.e.r.=.2.4.a.2.9.0.0.7.-.2.1.d.3.-.4.2.b.0.-.b.4.a.a.-.a.5.0.2.3.0.8.d.b.c.5.5.....I.n.t.e.g.r.a.t.o.r.R.e.p.o.r.t.I.d.e.n.t.i.f.i.e.r.=.b.b.8.1.f.8.e.f.-.d.4.e.2.-.4.b.4.5.-.9.f.d.7.-.1.2.2.1.2.3.3.a.8.7.9.a.....W.o.w.6.4.H.o.s.t.=.3.4.4.0.4.....W.o.w.6.4.G.u.e.s.t.=.3.3.2.....N.s.A.p.p.N.a.m.e.=.M.P.G.P.H.1.3.1...e.x.e.....A.p.p.S.e.s.s.i.o.n.G.u.i.d.=.0.0.0.0.1.b.5.4.-.0.0.0.1.-.0.0.1.4.-.3.5.9.6.-.b.e.c.6.6.3.9.1.d.a.0.1.....T.a.r.g.e.t.A.p.p.I.d.=.W.:.0.0.0.6.a.3.5.c.6.8.e.3.b.9.a.f.8.7.4.1.1.c.6.7.a.a.4.9.8.2.9.6.a.5.9.6.0.0.0.0.0.8.0.1.!.0.0.0.0.b.9.5.8.c.5.2.6.2.2.a.0.2.d.7.e.d.5.3.0.f.6.d.4.1.a.7.e.7.c.2.4.a.2.7.f.7.9.1.8.!.M.P.G.P.H.1.3.1...e.x.e.....T.a.r.g.e.t.A.p.p.V.e.r.=.2.0.2.4././.0.4././.1.2.:.1.2.:.3.6.:.0.6.!.0.!.M.P.G.P.H.1.3.1...e.x.e.....B.o.o.t.I.d.=.4.2.9.4.9.6.7.

                                                                                                                                                                                          C:\ProgramData\Microsoft\Windows\WER\ReportQueue\AppCrash_MPGPH131.exe_8da9ded6fcd3711f80e32889caff945e9691e_62a9ba1a_3876214c-d790-41b5-b5e2-d2ed096deda4\Report.wer

                                                                                                                                                                                          Download File
                                                                                                                                                                                          Process:C:\Windows\SysWOW64\WerFault.exe
                                                                                                                                                                                          File Type:Unicode text, UTF-16, little-endian text, with CRLF line terminators
                                                                                                                                                                                          Category:dropped
                                                                                                                                                                                          Size (bytes):65536
                                                                                                                                                                                          Entropy (8bit):0.9358833153649571
                                                                                                                                                                                          Encrypted:false
                                                                                                                                                                                          SSDEEP:192:srTpBynz2G8b3056r96E6jjC+ZrVszuiFhZ24IO8oj6t9:4dw2GmE56rwjezuiFhY4IO8L
                                                                                                                                                                                          MD5:114B883C29964C7CA166C93254C2473A
                                                                                                                                                                                          SHA1:CB2516F872E747F112D47E412767335EAC63E935
                                                                                                                                                                                          SHA-256:CEDDF8EBDD491930818E22C75670B627D790E4A5D8E7C28DF0EED6572D8CB40C
                                                                                                                                                                                          SHA-512:4065A987E45AF131603EEF512F4DD416DEED42C8C61181F14C65F07A51C25930F6E3140EFE7945D18B1FB5FCC4ADABE9CD51C674696A62BF97EEBEB73BD3E3C1
                                                                                                                                                                                          Malicious:false
                                                                                                                                                                                          Preview:..V.e.r.s.i.o.n.=.1.....E.v.e.n.t.T.y.p.e.=.A.P.P.C.R.A.S.H.....E.v.e.n.t.T.i.m.e.=.1.3.3.5.7.8.9.9.6.8.4.0.2.8.9.0.5.0.....R.e.p.o.r.t.T.y.p.e.=.2.....C.o.n.s.e.n.t.=.1.....R.e.p.o.r.t.I.d.e.n.t.i.f.i.e.r.=.3.8.7.6.2.1.4.c.-.d.7.9.0.-.4.1.b.5.-.b.5.e.2.-.d.2.e.d.0.9.6.d.e.d.a.4.....I.n.t.e.g.r.a.t.o.r.R.e.p.o.r.t.I.d.e.n.t.i.f.i.e.r.=.3.3.0.a.7.0.f.2.-.9.5.1.f.-.4.5.6.7.-.b.2.e.c.-.d.9.c.9.6.9.0.f.3.1.e.7.....W.o.w.6.4.H.o.s.t.=.3.4.4.0.4.....W.o.w.6.4.G.u.e.s.t.=.3.3.2.....N.s.A.p.p.N.a.m.e.=.M.P.G.P.H.1.3.1...e.x.e.....A.p.p.S.e.s.s.i.o.n.G.u.i.d.=.0.0.0.0.1.b.5.4.-.0.0.0.1.-.0.0.1.4.-.3.5.9.6.-.b.e.c.6.6.3.9.1.d.a.0.1.....T.a.r.g.e.t.A.p.p.I.d.=.W.:.0.0.0.6.a.3.5.c.6.8.e.3.b.9.a.f.8.7.4.1.1.c.6.7.a.a.4.9.8.2.9.6.a.5.9.6.0.0.0.0.0.8.0.1.!.0.0.0.0.b.9.5.8.c.5.2.6.2.2.a.0.2.d.7.e.d.5.3.0.f.6.d.4.1.a.7.e.7.c.2.4.a.2.7.f.7.9.1.8.!.M.P.G.P.H.1.3.1...e.x.e.....T.a.r.g.e.t.A.p.p.V.e.r.=.2.0.2.4././.0.4././.1.2.:.1.2.:.3.6.:.0.6.!.0.!.M.P.G.P.H.1.3.1...e.x.e.....B.o.o.t.I.d.=.4.2.9.4.9.6.7.

                                                                                                                                                                                          C:\ProgramData\Microsoft\Windows\WER\ReportQueue\AppCrash_MPGPH131.exe_8da9ded6fcd3711f80e32889caff945e9691e_62a9ba1a_4f7c52ae-a147-40d8-a3f2-8a9bebe00511\Report.wer

                                                                                                                                                                                          Download File
                                                                                                                                                                                          Process:C:\Windows\SysWOW64\WerFault.exe
                                                                                                                                                                                          File Type:Unicode text, UTF-16, little-endian text, with CRLF line terminators
                                                                                                                                                                                          Category:dropped
                                                                                                                                                                                          Size (bytes):65536
                                                                                                                                                                                          Entropy (8bit):0.8958607044708614
                                                                                                                                                                                          Encrypted:false
                                                                                                                                                                                          SSDEEP:192:2wOlpBynzU8b3056r96E6jjC+ZrVNzuiF8Z24IO8oj6t9:JOrwUmE56rwjvzuiF8Y4IO8L
                                                                                                                                                                                          MD5:0A25ED3395E6039CD6B210E5BB9B56D5
                                                                                                                                                                                          SHA1:2827EE9FC151061D1CDBC19AD391AE9C6D9160D0
                                                                                                                                                                                          SHA-256:91B79A2B389AC6EB93765840B1105485FEE26B05DF2CE38328953A90198DB33A
                                                                                                                                                                                          SHA-512:5659827748C68049C35ADC3A72631286DE96719F2D460103C2C5AEA4F21B9DE9CCC7B4331D416DB06551BC6A0CB7EF00E236EF0366A41D06F76A44359B245AA8
                                                                                                                                                                                          Malicious:false
                                                                                                                                                                                          Preview:..V.e.r.s.i.o.n.=.1.....E.v.e.n.t.T.y.p.e.=.A.P.P.C.R.A.S.H.....E.v.e.n.t.T.i.m.e.=.1.3.3.5.7.8.9.9.6.7.2.1.4.2.3.4.3.8.....R.e.p.o.r.t.T.y.p.e.=.2.....C.o.n.s.e.n.t.=.1.....R.e.p.o.r.t.I.d.e.n.t.i.f.i.e.r.=.4.f.7.c.5.2.a.e.-.a.1.4.7.-.4.0.d.8.-.a.3.f.2.-.8.a.9.b.e.b.e.0.0.5.1.1.....I.n.t.e.g.r.a.t.o.r.R.e.p.o.r.t.I.d.e.n.t.i.f.i.e.r.=.f.9.c.3.0.e.d.b.-.d.1.6.a.-.4.c.1.7.-.8.d.e.0.-.a.6.a.f.b.7.e.c.b.f.9.6.....W.o.w.6.4.H.o.s.t.=.3.4.4.0.4.....W.o.w.6.4.G.u.e.s.t.=.3.3.2.....N.s.A.p.p.N.a.m.e.=.M.P.G.P.H.1.3.1...e.x.e.....A.p.p.S.e.s.s.i.o.n.G.u.i.d.=.0.0.0.0.1.b.5.4.-.0.0.0.1.-.0.0.1.4.-.3.5.9.6.-.b.e.c.6.6.3.9.1.d.a.0.1.....T.a.r.g.e.t.A.p.p.I.d.=.W.:.0.0.0.6.a.3.5.c.6.8.e.3.b.9.a.f.8.7.4.1.1.c.6.7.a.a.4.9.8.2.9.6.a.5.9.6.0.0.0.0.0.8.0.1.!.0.0.0.0.b.9.5.8.c.5.2.6.2.2.a.0.2.d.7.e.d.5.3.0.f.6.d.4.1.a.7.e.7.c.2.4.a.2.7.f.7.9.1.8.!.M.P.G.P.H.1.3.1...e.x.e.....T.a.r.g.e.t.A.p.p.V.e.r.=.2.0.2.4././.0.4././.1.2.:.1.2.:.3.6.:.0.6.!.0.!.M.P.G.P.H.1.3.1...e.x.e.....B.o.o.t.I.d.=.4.2.9.4.9.6.7.

                                                                                                                                                                                          C:\ProgramData\Microsoft\Windows\WER\ReportQueue\AppCrash_MPGPH131.exe_8da9ded6fcd3711f80e32889caff945e9691e_62a9ba1a_79bbe31a-7538-472f-bc88-c4ceabe8f0b1\Report.wer

                                                                                                                                                                                          Download File
                                                                                                                                                                                          Process:C:\Windows\SysWOW64\WerFault.exe
                                                                                                                                                                                          File Type:Unicode text, UTF-16, little-endian text, with CRLF line terminators
                                                                                                                                                                                          Category:dropped
                                                                                                                                                                                          Size (bytes):65536
                                                                                                                                                                                          Entropy (8bit):0.9232949440550894
                                                                                                                                                                                          Encrypted:false
                                                                                                                                                                                          SSDEEP:192:WIpBynz/8b3056r96E6jjC+ZrVfzuiFhZ24IO8oj6t9:3w/mE56rwjdzuiFhY4IO8L
                                                                                                                                                                                          MD5:1D837AFA35A3A690EF0DDD6ABB26A6FA
                                                                                                                                                                                          SHA1:83B981EDF1F7ABF20B4D60DE1D45EB0F4132E24D
                                                                                                                                                                                          SHA-256:045800E78DF22191AB5CF2E9FF83A7CB88CDE688DB163D53DB31362C37698EE6
                                                                                                                                                                                          SHA-512:FC4ECEB3525531C87CCD077C2BA8820AD5508AA4D60A3190E5BAE131DA7A5B68265ECD33403BE2C8BABFA417DA4CE5C13A08B2976B4D1D40DB2A148C8EA7AF58
                                                                                                                                                                                          Malicious:false
                                                                                                                                                                                          Preview:..V.e.r.s.i.o.n.=.1.....E.v.e.n.t.T.y.p.e.=.A.P.P.C.R.A.S.H.....E.v.e.n.t.T.i.m.e.=.1.3.3.5.7.8.9.9.6.8.2.2.3.1.5.0.4.1.....R.e.p.o.r.t.T.y.p.e.=.2.....C.o.n.s.e.n.t.=.1.....R.e.p.o.r.t.I.d.e.n.t.i.f.i.e.r.=.7.9.b.b.e.3.1.a.-.7.5.3.8.-.4.7.2.f.-.b.c.8.8.-.c.4.c.e.a.b.e.8.f.0.b.1.....I.n.t.e.g.r.a.t.o.r.R.e.p.o.r.t.I.d.e.n.t.i.f.i.e.r.=.3.a.d.8.a.2.0.6.-.6.1.2.1.-.4.6.5.9.-.b.1.e.9.-.d.e.4.a.b.b.9.e.9.b.d.f.....W.o.w.6.4.H.o.s.t.=.3.4.4.0.4.....W.o.w.6.4.G.u.e.s.t.=.3.3.2.....N.s.A.p.p.N.a.m.e.=.M.P.G.P.H.1.3.1...e.x.e.....A.p.p.S.e.s.s.i.o.n.G.u.i.d.=.0.0.0.0.1.b.5.4.-.0.0.0.1.-.0.0.1.4.-.3.5.9.6.-.b.e.c.6.6.3.9.1.d.a.0.1.....T.a.r.g.e.t.A.p.p.I.d.=.W.:.0.0.0.6.a.3.5.c.6.8.e.3.b.9.a.f.8.7.4.1.1.c.6.7.a.a.4.9.8.2.9.6.a.5.9.6.0.0.0.0.0.8.0.1.!.0.0.0.0.b.9.5.8.c.5.2.6.2.2.a.0.2.d.7.e.d.5.3.0.f.6.d.4.1.a.7.e.7.c.2.4.a.2.7.f.7.9.1.8.!.M.P.G.P.H.1.3.1...e.x.e.....T.a.r.g.e.t.A.p.p.V.e.r.=.2.0.2.4././.0.4././.1.2.:.1.2.:.3.6.:.0.6.!.0.!.M.P.G.P.H.1.3.1...e.x.e.....B.o.o.t.I.d.=.4.2.9.4.9.6.7.

                                                                                                                                                                                          C:\ProgramData\Microsoft\Windows\WER\ReportQueue\AppCrash_MPGPH131.exe_8da9ded6fcd3711f80e32889caff945e9691e_62a9ba1a_7beb78b6-6e28-400c-9bec-333e5a1201c0\Report.wer

                                                                                                                                                                                          Download File
                                                                                                                                                                                          Process:C:\Windows\SysWOW64\WerFault.exe
                                                                                                                                                                                          File Type:Unicode text, UTF-16, little-endian text, with CRLF line terminators
                                                                                                                                                                                          Category:modified
                                                                                                                                                                                          Size (bytes):65536
                                                                                                                                                                                          Entropy (8bit):0.9431134629335274
                                                                                                                                                                                          Encrypted:false
                                                                                                                                                                                          SSDEEP:192:mnwCABynzk8b3056r96E6jjsQZrMVzuiFhZ24IO8oj6t9:PwkmE56rwjgzuiFhY4IO8L
                                                                                                                                                                                          MD5:1C0D37EA84675E693A5472D2D5EFEB30
                                                                                                                                                                                          SHA1:14956ADC5D90E24120CE502B9A2604FE17D37746
                                                                                                                                                                                          SHA-256:61ED2C4062B23757675AB3659BB760F72623179B4383FD9F23315E3588BDF61F
                                                                                                                                                                                          SHA-512:ACB3C9646C374F4C66E9362689FD9DA66D007FAFA174675BD3D356D715B2E35F3B4BAE98F825416DC26DBEBCA265056A62179BA0FBF1D5200E4333F46BEEECCA
                                                                                                                                                                                          Malicious:false
                                                                                                                                                                                          Preview:..V.e.r.s.i.o.n.=.1.....E.v.e.n.t.T.y.p.e.=.A.P.P.C.R.A.S.H.....E.v.e.n.t.T.i.m.e.=.1.3.3.5.7.8.9.9.6.8.4.4.8.9.1.7.8.5.....R.e.p.o.r.t.T.y.p.e.=.2.....C.o.n.s.e.n.t.=.1.....R.e.p.o.r.t.I.d.e.n.t.i.f.i.e.r.=.7.b.e.b.7.8.b.6.-.6.e.2.8.-.4.0.0.c.-.9.b.e.c.-.3.3.3.e.5.a.1.2.0.1.c.0.....I.n.t.e.g.r.a.t.o.r.R.e.p.o.r.t.I.d.e.n.t.i.f.i.e.r.=.1.0.d.1.5.0.8.5.-.c.9.c.e.-.4.7.9.a.-.b.9.b.2.-.a.f.2.5.5.6.7.4.b.b.1.3.....W.o.w.6.4.H.o.s.t.=.3.4.4.0.4.....W.o.w.6.4.G.u.e.s.t.=.3.3.2.....N.s.A.p.p.N.a.m.e.=.M.P.G.P.H.1.3.1...e.x.e.....A.p.p.S.e.s.s.i.o.n.G.u.i.d.=.0.0.0.0.1.a.2.0.-.0.0.0.1.-.0.0.1.4.-.4.f.2.e.-.9.3.c.6.6.3.9.1.d.a.0.1.....T.a.r.g.e.t.A.p.p.I.d.=.W.:.0.0.0.6.a.3.5.c.6.8.e.3.b.9.a.f.8.7.4.1.1.c.6.7.a.a.4.9.8.2.9.6.a.5.9.6.0.0.0.0.0.8.0.1.!.0.0.0.0.b.9.5.8.c.5.2.6.2.2.a.0.2.d.7.e.d.5.3.0.f.6.d.4.1.a.7.e.7.c.2.4.a.2.7.f.7.9.1.8.!.M.P.G.P.H.1.3.1...e.x.e.....T.a.r.g.e.t.A.p.p.V.e.r.=.2.0.2.4././.0.4././.1.2.:.1.2.:.3.6.:.0.6.!.0.!.M.P.G.P.H.1.3.1...e.x.e.....B.o.o.t.I.d.=.4.2.9.4.9.6.7.

                                                                                                                                                                                          C:\ProgramData\Microsoft\Windows\WER\ReportQueue\AppCrash_MPGPH131.exe_8da9ded6fcd3711f80e32889caff945e9691e_62a9ba1a_fa6f4377-f796-4dc3-b6a9-a4af4a149016\Report.wer

                                                                                                                                                                                          Download File
                                                                                                                                                                                          Process:C:\Windows\SysWOW64\WerFault.exe
                                                                                                                                                                                          File Type:Unicode text, UTF-16, little-endian text, with CRLF line terminators
                                                                                                                                                                                          Category:dropped
                                                                                                                                                                                          Size (bytes):65536
                                                                                                                                                                                          Entropy (8bit):0.9028528981541389
                                                                                                                                                                                          Encrypted:false
                                                                                                                                                                                          SSDEEP:192:4ABynzX8b3056r96E6jjsQZrMyzuiF8Z24IO8oj6t9W:PwXmE56rwj/zuiF8Y4IO8Lk
                                                                                                                                                                                          MD5:5107584D16B79F2215436FD9A42C42E3
                                                                                                                                                                                          SHA1:96B396756410F6780E6697CC6917DCD36B5F8603
                                                                                                                                                                                          SHA-256:379CACE82DD5DB6A4E6DA8DDDF2A75B71AE57160B4A8D55E907EB19F5DAF9220
                                                                                                                                                                                          SHA-512:ECCE3B87D0CB29E920E5A11DF1F4233DDD7C4470055926E6B129DFD824E5FFB36F88613599D3B7FBFE3417FE81747194F6294727E8097C49C2999A31DCBFC7FA
                                                                                                                                                                                          Malicious:false
                                                                                                                                                                                          Preview:..V.e.r.s.i.o.n.=.1.....E.v.e.n.t.T.y.p.e.=.A.P.P.C.R.A.S.H.....E.v.e.n.t.T.i.m.e.=.1.3.3.5.7.8.9.9.6.7.2.1.3.1.3.3.9.8.....R.e.p.o.r.t.T.y.p.e.=.2.....C.o.n.s.e.n.t.=.1.....R.e.p.o.r.t.I.d.e.n.t.i.f.i.e.r.=.f.a.6.f.4.3.7.7.-.f.7.9.6.-.4.d.c.3.-.b.6.a.9.-.a.4.a.f.4.a.1.4.9.0.1.6.....I.n.t.e.g.r.a.t.o.r.R.e.p.o.r.t.I.d.e.n.t.i.f.i.e.r.=.f.4.1.c.e.2.1.6.-.5.3.3.d.-.4.6.a.b.-.8.8.a.c.-.e.6.9.5.5.4.b.b.7.6.f.3.....W.o.w.6.4.H.o.s.t.=.3.4.4.0.4.....W.o.w.6.4.G.u.e.s.t.=.3.3.2.....N.s.A.p.p.N.a.m.e.=.M.P.G.P.H.1.3.1...e.x.e.....A.p.p.S.e.s.s.i.o.n.G.u.i.d.=.0.0.0.0.1.a.2.0.-.0.0.0.1.-.0.0.1.4.-.4.f.2.e.-.9.3.c.6.6.3.9.1.d.a.0.1.....T.a.r.g.e.t.A.p.p.I.d.=.W.:.0.0.0.6.a.3.5.c.6.8.e.3.b.9.a.f.8.7.4.1.1.c.6.7.a.a.4.9.8.2.9.6.a.5.9.6.0.0.0.0.0.8.0.1.!.0.0.0.0.b.9.5.8.c.5.2.6.2.2.a.0.2.d.7.e.d.5.3.0.f.6.d.4.1.a.7.e.7.c.2.4.a.2.7.f.7.9.1.8.!.M.P.G.P.H.1.3.1...e.x.e.....T.a.r.g.e.t.A.p.p.V.e.r.=.2.0.2.4././.0.4././.1.2.:.1.2.:.3.6.:.0.6.!.0.!.M.P.G.P.H.1.3.1...e.x.e.....B.o.o.t.I.d.=.4.2.9.4.9.6.7.

                                                                                                                                                                                          C:\ProgramData\Microsoft\Windows\WER\ReportQueue\AppCrash_MPGPH131.exe_8da9ded6fcd3711f80e32889caff945e9691e_62a9ba1a_fd7510c0-0ba9-4985-bc35-420bde20bbb7\Report.wer

                                                                                                                                                                                          Download File
                                                                                                                                                                                          Process:C:\Windows\SysWOW64\WerFault.exe
                                                                                                                                                                                          File Type:Unicode text, UTF-16, little-endian text, with CRLF line terminators
                                                                                                                                                                                          Category:dropped
                                                                                                                                                                                          Size (bytes):65536
                                                                                                                                                                                          Entropy (8bit):0.9427517046049727
                                                                                                                                                                                          Encrypted:false
                                                                                                                                                                                          SSDEEP:192:CxABynzC8b3056r96E6jjsQZrMVzuiFhZ24IO8oj6t9:C2wCmE56rwjgzuiFhY4IO8L
                                                                                                                                                                                          MD5:05653CEBD5C333E9361D19E131901C3E
                                                                                                                                                                                          SHA1:F6193E95F90F0EA21115359CB9D1A2D023F81FE1
                                                                                                                                                                                          SHA-256:350FBB2027473634F9DE86BDD3E23074FA5D0438B9039726081F4C5D1326F604
                                                                                                                                                                                          SHA-512:8C951C6BAD42FA621193EDA1999B01A7537F5F5037B8C881D8A7E2338FA40A9BD44620A2A55C5E0DC93480F91117FF78B07D62ECD416D4E0F111CEB6FC66D1AF
                                                                                                                                                                                          Malicious:false
                                                                                                                                                                                          Preview:..V.e.r.s.i.o.n.=.1.....E.v.e.n.t.T.y.p.e.=.A.P.P.C.R.A.S.H.....E.v.e.n.t.T.i.m.e.=.1.3.3.5.7.8.9.9.6.8.2.2.8.3.7.2.0.3.....R.e.p.o.r.t.T.y.p.e.=.2.....C.o.n.s.e.n.t.=.1.....R.e.p.o.r.t.I.d.e.n.t.i.f.i.e.r.=.f.d.7.5.1.0.c.0.-.0.b.a.9.-.4.9.8.5.-.b.c.3.5.-.4.2.0.b.d.e.2.0.b.b.b.7.....I.n.t.e.g.r.a.t.o.r.R.e.p.o.r.t.I.d.e.n.t.i.f.i.e.r.=.0.1.2.0.8.6.f.2.-.b.9.3.7.-.4.f.2.a.-.a.9.a.6.-.5.0.2.0.c.0.d.6.5.1.f.9.....W.o.w.6.4.H.o.s.t.=.3.4.4.0.4.....W.o.w.6.4.G.u.e.s.t.=.3.3.2.....N.s.A.p.p.N.a.m.e.=.M.P.G.P.H.1.3.1...e.x.e.....A.p.p.S.e.s.s.i.o.n.G.u.i.d.=.0.0.0.0.1.a.2.0.-.0.0.0.1.-.0.0.1.4.-.4.f.2.e.-.9.3.c.6.6.3.9.1.d.a.0.1.....T.a.r.g.e.t.A.p.p.I.d.=.W.:.0.0.0.6.a.3.5.c.6.8.e.3.b.9.a.f.8.7.4.1.1.c.6.7.a.a.4.9.8.2.9.6.a.5.9.6.0.0.0.0.0.8.0.1.!.0.0.0.0.b.9.5.8.c.5.2.6.2.2.a.0.2.d.7.e.d.5.3.0.f.6.d.4.1.a.7.e.7.c.2.4.a.2.7.f.7.9.1.8.!.M.P.G.P.H.1.3.1...e.x.e.....T.a.r.g.e.t.A.p.p.V.e.r.=.2.0.2.4././.0.4././.1.2.:.1.2.:.3.6.:.0.6.!.0.!.M.P.G.P.H.1.3.1...e.x.e.....B.o.o.t.I.d.=.4.2.9.4.9.6.7.

                                                                                                                                                                                          C:\ProgramData\Microsoft\Windows\WER\ReportQueue\AppCrash_RageMP131.exe_bf368937aa71444bfe4b5f2ea5f56432083d3_deda682a_99bc5391-f9a6-410f-81b2-90d93152f0db\Report.wer

                                                                                                                                                                                          Download File
                                                                                                                                                                                          Process:C:\Windows\SysWOW64\WerFault.exe
                                                                                                                                                                                          File Type:Unicode text, UTF-16, little-endian text, with CRLF line terminators
                                                                                                                                                                                          Category:dropped
                                                                                                                                                                                          Size (bytes):65536
                                                                                                                                                                                          Entropy (8bit):0.9090411992990994
                                                                                                                                                                                          Encrypted:false
                                                                                                                                                                                          SSDEEP:192:YhGatvc3056rgjsQZrMyzuiFhZ24IO8W:YQIvcE56rgj/zuiFhY4IO8W
                                                                                                                                                                                          MD5:60E21E003D3DABCCB1938DEB9837FA7C
                                                                                                                                                                                          SHA1:A0E1A1BA86739FD9BA01B0811B4ED60B57647D6C
                                                                                                                                                                                          SHA-256:0082DA0B50A37443E8FEFD97173F7F058D9EFABAB97B4D7F4F34815B9DD11061
                                                                                                                                                                                          SHA-512:557EDB9BFFC70A7365F00C2DA07B8EF61205638A77D54B80BBEE3E10AD2DD6C083EC5BEBB16943C1747029D9B8CDE9952E9CDE9558907E7FB4CFE1E36AC5E52A
                                                                                                                                                                                          Malicious:false
                                                                                                                                                                                          Preview:..V.e.r.s.i.o.n.=.1.....E.v.e.n.t.T.y.p.e.=.A.P.P.C.R.A.S.H.....E.v.e.n.t.T.i.m.e.=.1.3.3.5.7.8.9.9.6.8.6.8.2.9.8.5.2.8.....R.e.p.o.r.t.T.y.p.e.=.2.....C.o.n.s.e.n.t.=.1.....R.e.p.o.r.t.I.d.e.n.t.i.f.i.e.r.=.9.9.b.c.5.3.9.1.-.f.9.a.6.-.4.1.0.f.-.8.1.b.2.-.9.0.d.9.3.1.5.2.f.0.d.b.....I.n.t.e.g.r.a.t.o.r.R.e.p.o.r.t.I.d.e.n.t.i.f.i.e.r.=.8.8.b.4.0.5.7.3.-.6.0.3.8.-.4.6.4.0.-.8.5.8.c.-.f.0.c.d.a.7.0.3.b.1.c.8.....W.o.w.6.4.H.o.s.t.=.3.4.4.0.4.....W.o.w.6.4.G.u.e.s.t.=.3.3.2.....N.s.A.p.p.N.a.m.e.=.R.a.g.e.M.P.1.3.1...e.x.e.....A.p.p.S.e.s.s.i.o.n.G.u.i.d.=.0.0.0.0.1.4.2.c.-.0.0.0.1.-.0.0.1.4.-.9.6.a.a.-.a.1.c.e.6.3.9.1.d.a.0.1.....T.a.r.g.e.t.A.p.p.I.d.=.W.:.0.0.0.6.d.9.8.7.d.2.9.7.1.8.f.7.0.f.d.f.f.c.3.0.5.6.7.d.e.0.b.8.e.d.4.0.0.0.0.0.0.8.0.1.!.0.0.0.0.b.9.5.8.c.5.2.6.2.2.a.0.2.d.7.e.d.5.3.0.f.6.d.4.1.a.7.e.7.c.2.4.a.2.7.f.7.9.1.8.!.R.a.g.e.M.P.1.3.1...e.x.e.....T.a.r.g.e.t.A.p.p.V.e.r.=.2.0.2.4././.0.4././.1.2.:.1.2.:.3.6.:.0.6.!.0.!.R.a.g.e.M.P.1.3.1...e.x.e.....B.o.o.t.I.d.=.4.2.9.4.

                                                                                                                                                                                          C:\ProgramData\Microsoft\Windows\WER\ReportQueue\AppCrash_dendy.exe_aa9f15d75e87e911f42a0812ef56c2977edd110_fa985918_7c2eca60-39e2-4891-80ad-9cb598a01ab4\Report.wer

                                                                                                                                                                                          Download File
                                                                                                                                                                                          Process:C:\Windows\SysWOW64\WerFault.exe
                                                                                                                                                                                          File Type:Unicode text, UTF-16, little-endian text, with CRLF line terminators
                                                                                                                                                                                          Category:dropped
                                                                                                                                                                                          Size (bytes):65536
                                                                                                                                                                                          Entropy (8bit):0.9230038541149752
                                                                                                                                                                                          Encrypted:false
                                                                                                                                                                                          SSDEEP:96:qLSfAYAsvbqIoA7JfPQXIDcQnc6rCcEhcw3rb+HbHg/wWGTf3hOycoqzIPEVsJ/j:TfAnb3056rwjsQZrMwzuiF8Z24IO8n
                                                                                                                                                                                          MD5:10029DC9ADDEE6E51EA61E9DDF8C5750
                                                                                                                                                                                          SHA1:649D94AADE8A7EC854CA73C8622F9BF8079D4F09
                                                                                                                                                                                          SHA-256:CE43CB9E0C9164646AFBD7534442CBED6348664401CB544E56C280149B4F59E9
                                                                                                                                                                                          SHA-512:513B7F867CC439E9F1F2CEFCFACD2197BB94B3F365276CBF60799DF7739F5B58316E2B2139CA010B4045A6A33FDB4888D4E34F058B2A97683691289C2372B92F
                                                                                                                                                                                          Malicious:false
                                                                                                                                                                                          Preview:..V.e.r.s.i.o.n.=.1.....E.v.e.n.t.T.y.p.e.=.A.P.P.C.R.A.S.H.....E.v.e.n.t.T.i.m.e.=.1.3.3.5.7.8.9.9.6.7.7.4.2.9.9.0.0.6.....R.e.p.o.r.t.T.y.p.e.=.2.....C.o.n.s.e.n.t.=.1.....R.e.p.o.r.t.I.d.e.n.t.i.f.i.e.r.=.7.c.2.e.c.a.6.0.-.3.9.e.2.-.4.8.9.1.-.8.0.a.d.-.9.c.b.5.9.8.a.0.1.a.b.4.....I.n.t.e.g.r.a.t.o.r.R.e.p.o.r.t.I.d.e.n.t.i.f.i.e.r.=.b.d.2.7.8.e.d.2.-.0.8.2.7.-.4.c.2.5.-.a.2.2.0.-.d.d.1.e.f.0.8.0.e.a.4.6.....W.o.w.6.4.H.o.s.t.=.3.4.4.0.4.....W.o.w.6.4.G.u.e.s.t.=.3.3.2.....N.s.A.p.p.N.a.m.e.=.d.e.n.d.y...e.x.e.....A.p.p.S.e.s.s.i.o.n.G.u.i.d.=.0.0.0.0.1.b.7.4.-.0.0.0.1.-.0.0.1.4.-.f.d.d.5.-.d.6.c.4.6.3.9.1.d.a.0.1.....T.a.r.g.e.t.A.p.p.I.d.=.W.:.0.0.0.6.0.c.3.3.a.6.5.f.a.b.5.0.8.4.d.0.a.a.f.1.c.7.6.0.f.a.c.c.8.1.5.5.0.0.0.0.0.8.0.1.!.0.0.0.0.b.9.5.8.c.5.2.6.2.2.a.0.2.d.7.e.d.5.3.0.f.6.d.4.1.a.7.e.7.c.2.4.a.2.7.f.7.9.1.8.!.d.e.n.d.y...e.x.e.....T.a.r.g.e.t.A.p.p.V.e.r.=.2.0.2.4././.0.4././.1.2.:.1.2.:.3.6.:.0.6.!.0.!.d.e.n.d.y...e.x.e.....B.o.o.t.I.d.=.4.2.9.4.9.6.7.2.9.5.....S.e.r.v.

                                                                                                                                                                                          C:\ProgramData\Microsoft\Windows\WER\ReportQueue\AppCrash_dendy.exe_aa9f15d75e87e911f42a0812ef56c2977edd110_fa985918_93f7b6c4-5ced-48d1-a491-d06e46313ed7\Report.wer

                                                                                                                                                                                          Download File
                                                                                                                                                                                          Process:C:\Windows\SysWOW64\WerFault.exe
                                                                                                                                                                                          File Type:Unicode text, UTF-16, little-endian text, with CRLF line terminators
                                                                                                                                                                                          Category:dropped
                                                                                                                                                                                          Size (bytes):65536
                                                                                                                                                                                          Entropy (8bit):1.016977113156388
                                                                                                                                                                                          Encrypted:false
                                                                                                                                                                                          SSDEEP:96:qCFPfAysvbqIoA7JfPQXIDcQnc6rCcEhcw3rb+HbHg/wWGTf3hOycoqzIPEVsJ/M:tfAyb3056rwjsQZrM6jzuiFhZ24IO8n
                                                                                                                                                                                          MD5:01175838648C36DA7A1A4B74E47C52FE
                                                                                                                                                                                          SHA1:0E9D7B1F40FEDEF4B54EB41325475ABC8E6F4705
                                                                                                                                                                                          SHA-256:E4C8EFB5FDE6CD0F91B3E6ADEDD838F841006DE6660424437E39E8EA9A496873
                                                                                                                                                                                          SHA-512:385197F1AA11129BEEA6D1E57A006573013D6878434A3C5FEC60293E33B21735CBBB39F298F8691B7D1C737588DADCC103E7DC3CD1814790182079B03862746B
                                                                                                                                                                                          Malicious:false
                                                                                                                                                                                          Preview:..V.e.r.s.i.o.n.=.1.....E.v.e.n.t.T.y.p.e.=.A.P.P.C.R.A.S.H.....E.v.e.n.t.T.i.m.e.=.1.3.3.5.7.8.9.9.6.8.6.0.1.0.0.9.2.7.....R.e.p.o.r.t.T.y.p.e.=.2.....C.o.n.s.e.n.t.=.1.....R.e.p.o.r.t.I.d.e.n.t.i.f.i.e.r.=.9.3.f.7.b.6.c.4.-.5.c.e.d.-.4.8.d.1.-.a.4.9.1.-.d.0.6.e.4.6.3.1.3.e.d.7.....I.n.t.e.g.r.a.t.o.r.R.e.p.o.r.t.I.d.e.n.t.i.f.i.e.r.=.c.8.c.a.2.b.9.1.-.5.6.4.1.-.4.7.6.1.-.9.d.d.4.-.3.0.6.9.e.6.f.7.b.0.2.4.....W.o.w.6.4.H.o.s.t.=.3.4.4.0.4.....W.o.w.6.4.G.u.e.s.t.=.3.3.2.....N.s.A.p.p.N.a.m.e.=.d.e.n.d.y...e.x.e.....A.p.p.S.e.s.s.i.o.n.G.u.i.d.=.0.0.0.0.1.b.7.4.-.0.0.0.1.-.0.0.1.4.-.f.d.d.5.-.d.6.c.4.6.3.9.1.d.a.0.1.....T.a.r.g.e.t.A.p.p.I.d.=.W.:.0.0.0.6.0.c.3.3.a.6.5.f.a.b.5.0.8.4.d.0.a.a.f.1.c.7.6.0.f.a.c.c.8.1.5.5.0.0.0.0.0.8.0.1.!.0.0.0.0.b.9.5.8.c.5.2.6.2.2.a.0.2.d.7.e.d.5.3.0.f.6.d.4.1.a.7.e.7.c.2.4.a.2.7.f.7.9.1.8.!.d.e.n.d.y...e.x.e.....T.a.r.g.e.t.A.p.p.V.e.r.=.2.0.2.4././.0.4././.1.2.:.1.2.:.3.6.:.0.6.!.0.!.d.e.n.d.y...e.x.e.....B.o.o.t.I.d.=.4.2.9.4.9.6.7.2.9.5.....S.e.r.v.

                                                                                                                                                                                          C:\ProgramData\Microsoft\Windows\WER\ReportQueue\AppCrash_dendy.exe_aa9f15d75e87e911f42a0812ef56c2977edd110_fa985918_985b3f1e-996c-4fbf-b6be-01ab57397a69\Report.wer

                                                                                                                                                                                          Download File
                                                                                                                                                                                          Process:C:\Windows\SysWOW64\WerFault.exe
                                                                                                                                                                                          File Type:Unicode text, UTF-16, little-endian text, with CRLF line terminators
                                                                                                                                                                                          Category:dropped
                                                                                                                                                                                          Size (bytes):65536
                                                                                                                                                                                          Entropy (8bit):0.9434800621205717
                                                                                                                                                                                          Encrypted:false
                                                                                                                                                                                          SSDEEP:96:qdjifASsvbqIoA7JfPQXIDcQnc6rCcEhcw3rb+HbHg/wWGTf3hOycoqzIPEVsJ/R:EifASb3056rwjsQZrMFzuiFhZ24IO8n
                                                                                                                                                                                          MD5:AC6F27C9FE6717CB38C815D9AF3817FB
                                                                                                                                                                                          SHA1:75EB922AF45765B14DA354390C648FD826F47931
                                                                                                                                                                                          SHA-256:792EE724AE47FAAD7369A87981EFD3C1B4627D29E12ADDE8589EFA665BB0A203
                                                                                                                                                                                          SHA-512:12E70473FE65E8CB97C57A2A3F97FA297B1515708441E13E2DFC8B86797E28A2094796D6C30DE638659816B8A8F8C62C56FA64D63C8B5BCFA5BF4DA7F9EABE19
                                                                                                                                                                                          Malicious:false
                                                                                                                                                                                          Preview:..V.e.r.s.i.o.n.=.1.....E.v.e.n.t.T.y.p.e.=.A.P.P.C.R.A.S.H.....E.v.e.n.t.T.i.m.e.=.1.3.3.5.7.8.9.9.6.7.9.5.1.2.8.2.5.9.....R.e.p.o.r.t.T.y.p.e.=.2.....C.o.n.s.e.n.t.=.1.....R.e.p.o.r.t.I.d.e.n.t.i.f.i.e.r.=.9.8.5.b.3.f.1.e.-.9.9.6.c.-.4.f.b.f.-.b.6.b.e.-.0.1.a.b.5.7.3.9.7.a.6.9.....I.n.t.e.g.r.a.t.o.r.R.e.p.o.r.t.I.d.e.n.t.i.f.i.e.r.=.d.4.a.4.0.a.6.c.-.5.c.0.d.-.4.b.0.8.-.9.5.3.e.-.b.f.4.1.4.e.7.3.c.3.3.8.....W.o.w.6.4.H.o.s.t.=.3.4.4.0.4.....W.o.w.6.4.G.u.e.s.t.=.3.3.2.....N.s.A.p.p.N.a.m.e.=.d.e.n.d.y...e.x.e.....A.p.p.S.e.s.s.i.o.n.G.u.i.d.=.0.0.0.0.1.b.7.4.-.0.0.0.1.-.0.0.1.4.-.f.d.d.5.-.d.6.c.4.6.3.9.1.d.a.0.1.....T.a.r.g.e.t.A.p.p.I.d.=.W.:.0.0.0.6.0.c.3.3.a.6.5.f.a.b.5.0.8.4.d.0.a.a.f.1.c.7.6.0.f.a.c.c.8.1.5.5.0.0.0.0.0.8.0.1.!.0.0.0.0.b.9.5.8.c.5.2.6.2.2.a.0.2.d.7.e.d.5.3.0.f.6.d.4.1.a.7.e.7.c.2.4.a.2.7.f.7.9.1.8.!.d.e.n.d.y...e.x.e.....T.a.r.g.e.t.A.p.p.V.e.r.=.2.0.2.4././.0.4././.1.2.:.1.2.:.3.6.:.0.6.!.0.!.d.e.n.d.y...e.x.e.....B.o.o.t.I.d.=.4.2.9.4.9.6.7.2.9.5.....S.e.r.v.

                                                                                                                                                                                          C:\ProgramData\Microsoft\Windows\WER\ReportQueue\AppCrash_dendy.exe_aa9f15d75e87e911f42a0812ef56c2977edd110_fa985918_a37fdd3b-65f7-4f64-b95e-eddc769fb9af\Report.wer

                                                                                                                                                                                          Download File
                                                                                                                                                                                          Process:C:\Windows\SysWOW64\WerFault.exe
                                                                                                                                                                                          File Type:Unicode text, UTF-16, little-endian text, with CRLF line terminators
                                                                                                                                                                                          Category:dropped
                                                                                                                                                                                          Size (bytes):65536
                                                                                                                                                                                          Entropy (8bit):1.0108014820218294
                                                                                                                                                                                          Encrypted:false
                                                                                                                                                                                          SSDEEP:192:1bIfA0b3056rwjsQZrM6FzuiFhZ24IO8n:1bI40bE56rwjzzuiFhY4IO8n
                                                                                                                                                                                          MD5:6C58DD5D7EB3F085A9D54407D34BCCC9
                                                                                                                                                                                          SHA1:E4351C60A66A9D54E8082235EFA806579BEBDA51
                                                                                                                                                                                          SHA-256:26ED42CF472F3F82991CC74139D3653C9C6FE06B2717C56A7DA3FA3792A5483D
                                                                                                                                                                                          SHA-512:2E7D5419BBFB177A75E21D71047C4A5D247BED51A31F496FED596E1D3D08E259C131F668D5E3D1EB37F8CCB0E11F787DC8806AD4F7FAADCD962C528EF0E6EAB0
                                                                                                                                                                                          Malicious:false
                                                                                                                                                                                          Preview:..V.e.r.s.i.o.n.=.1.....E.v.e.n.t.T.y.p.e.=.A.P.P.C.R.A.S.H.....E.v.e.n.t.T.i.m.e.=.1.3.3.5.7.8.9.9.6.8.3.9.6.3.1.8.5.2.....R.e.p.o.r.t.T.y.p.e.=.2.....C.o.n.s.e.n.t.=.1.....R.e.p.o.r.t.I.d.e.n.t.i.f.i.e.r.=.a.3.7.f.d.d.3.b.-.6.5.f.7.-.4.f.6.4.-.b.9.5.e.-.e.d.d.c.7.6.9.f.b.9.a.f.....I.n.t.e.g.r.a.t.o.r.R.e.p.o.r.t.I.d.e.n.t.i.f.i.e.r.=.3.4.5.c.e.f.2.0.-.f.4.a.3.-.4.3.7.5.-.b.b.c.7.-.4.d.7.8.5.b.7.8.5.a.2.3.....W.o.w.6.4.H.o.s.t.=.3.4.4.0.4.....W.o.w.6.4.G.u.e.s.t.=.3.3.2.....N.s.A.p.p.N.a.m.e.=.d.e.n.d.y...e.x.e.....A.p.p.S.e.s.s.i.o.n.G.u.i.d.=.0.0.0.0.1.b.7.4.-.0.0.0.1.-.0.0.1.4.-.f.d.d.5.-.d.6.c.4.6.3.9.1.d.a.0.1.....T.a.r.g.e.t.A.p.p.I.d.=.W.:.0.0.0.6.0.c.3.3.a.6.5.f.a.b.5.0.8.4.d.0.a.a.f.1.c.7.6.0.f.a.c.c.8.1.5.5.0.0.0.0.0.8.0.1.!.0.0.0.0.b.9.5.8.c.5.2.6.2.2.a.0.2.d.7.e.d.5.3.0.f.6.d.4.1.a.7.e.7.c.2.4.a.2.7.f.7.9.1.8.!.d.e.n.d.y...e.x.e.....T.a.r.g.e.t.A.p.p.V.e.r.=.2.0.2.4././.0.4././.1.2.:.1.2.:.3.6.:.0.6.!.0.!.d.e.n.d.y...e.x.e.....B.o.o.t.I.d.=.4.2.9.4.9.6.7.2.9.5.....S.e.r.v.

                                                                                                                                                                                          C:\ProgramData\Microsoft\Windows\WER\ReportQueue\AppCrash_dendy.exe_aa9f15d75e87e911f42a0812ef56c2977edd110_fa985918_a7d04d5a-b292-4a7f-bb04-f331e1e6070f\Report.wer

                                                                                                                                                                                          Download File
                                                                                                                                                                                          Process:C:\Windows\SysWOW64\WerFault.exe
                                                                                                                                                                                          File Type:Unicode text, UTF-16, little-endian text, with CRLF line terminators
                                                                                                                                                                                          Category:dropped
                                                                                                                                                                                          Size (bytes):65536
                                                                                                                                                                                          Entropy (8bit):0.9169620869823485
                                                                                                                                                                                          Encrypted:false
                                                                                                                                                                                          SSDEEP:96:qtOO/G1fAasvbqIoA7JfPQXIDcQnc6rCcEhcw3rb+HbHg/wWGTf3hOycoqzIPEV7:LfAab3056rwjsQZrMSzuiF8Z24IO8n+
                                                                                                                                                                                          MD5:C7C97A06B475F7EB47B013AB3385A0AC
                                                                                                                                                                                          SHA1:AD572DCBC41CAF56F4EC17D5EB4C919236E736A7
                                                                                                                                                                                          SHA-256:394A452AE65AD166BD12CE03960BDE011898EB1A0DBE65B0232FEA315E29B6A2
                                                                                                                                                                                          SHA-512:CDCAC899AE04DB8A6A8B6F7495DCB51AEBA1D22DF573B57292B79B67F261C794620C2BE9CC07D1124CDF59BA7B15747D8C864A242D43BD9686C9636CE0716D81
                                                                                                                                                                                          Malicious:false
                                                                                                                                                                                          Preview:..V.e.r.s.i.o.n.=.1.....E.v.e.n.t.T.y.p.e.=.A.P.P.C.R.A.S.H.....E.v.e.n.t.T.i.m.e.=.1.3.3.5.7.8.9.9.6.7.6.7.0.5.8.9.5.9.....R.e.p.o.r.t.T.y.p.e.=.2.....C.o.n.s.e.n.t.=.1.....R.e.p.o.r.t.I.d.e.n.t.i.f.i.e.r.=.a.7.d.0.4.d.5.a.-.b.2.9.2.-.4.a.7.f.-.b.b.0.4.-.f.3.3.1.e.1.e.6.0.7.0.f.....I.n.t.e.g.r.a.t.o.r.R.e.p.o.r.t.I.d.e.n.t.i.f.i.e.r.=.d.d.8.c.a.5.a.b.-.b.3.7.e.-.4.b.4.0.-.8.b.1.d.-.d.8.d.5.6.0.7.b.b.8.f.b.....W.o.w.6.4.H.o.s.t.=.3.4.4.0.4.....W.o.w.6.4.G.u.e.s.t.=.3.3.2.....N.s.A.p.p.N.a.m.e.=.d.e.n.d.y...e.x.e.....A.p.p.S.e.s.s.i.o.n.G.u.i.d.=.0.0.0.0.1.b.7.4.-.0.0.0.1.-.0.0.1.4.-.f.d.d.5.-.d.6.c.4.6.3.9.1.d.a.0.1.....T.a.r.g.e.t.A.p.p.I.d.=.W.:.0.0.0.6.0.c.3.3.a.6.5.f.a.b.5.0.8.4.d.0.a.a.f.1.c.7.6.0.f.a.c.c.8.1.5.5.0.0.0.0.0.8.0.1.!.0.0.0.0.b.9.5.8.c.5.2.6.2.2.a.0.2.d.7.e.d.5.3.0.f.6.d.4.1.a.7.e.7.c.2.4.a.2.7.f.7.9.1.8.!.d.e.n.d.y...e.x.e.....T.a.r.g.e.t.A.p.p.V.e.r.=.2.0.2.4././.0.4././.1.2.:.1.2.:.3.6.:.0.6.!.0.!.d.e.n.d.y...e.x.e.....B.o.o.t.I.d.=.4.2.9.4.9.6.7.2.9.5.....S.e.r.v.

                                                                                                                                                                                          C:\ProgramData\Microsoft\Windows\WER\ReportQueue\AppCrash_dendy.exe_aa9f15d75e87e911f42a0812ef56c2977edd110_fa985918_b0018fe4-ab49-4a41-be81-253da0997ded\Report.wer

                                                                                                                                                                                          Download File
                                                                                                                                                                                          Process:C:\Windows\SysWOW64\WerFault.exe
                                                                                                                                                                                          File Type:Unicode text, UTF-16, little-endian text, with CRLF line terminators
                                                                                                                                                                                          Category:dropped
                                                                                                                                                                                          Size (bytes):65536
                                                                                                                                                                                          Entropy (8bit):0.9428149163143585
                                                                                                                                                                                          Encrypted:false
                                                                                                                                                                                          SSDEEP:96:qODmyfAHsvbqIoA7JfPQXIDcQnc6rCcEhcw3rb+HbHg/wWGTf3hOycoqzIPEVsJp:PLfAHb3056rwjsQZrMFzuiFhZ24IO8n
                                                                                                                                                                                          MD5:2BFFC909A5C84B31C411DD9514085986
                                                                                                                                                                                          SHA1:0E92B289DC4017BEE3086218531F6D4733FECAA3
                                                                                                                                                                                          SHA-256:0304A2D5F80232C973CE8CAD431D96C4A31D834307988457802B45D0B884B687
                                                                                                                                                                                          SHA-512:6787284772ABEC978FD33B6732DE81276240CA44F36B61CD591C6CB3AE010DED8547CCBEE8E103C3C475195110D416A16714C0B4A3FB2B73B9C37F4F55E72CAA
                                                                                                                                                                                          Malicious:false
                                                                                                                                                                                          Preview:..V.e.r.s.i.o.n.=.1.....E.v.e.n.t.T.y.p.e.=.A.P.P.C.R.A.S.H.....E.v.e.n.t.T.i.m.e.=.1.3.3.5.7.8.9.9.6.7.8.4.2.6.5.2.5.8.....R.e.p.o.r.t.T.y.p.e.=.2.....C.o.n.s.e.n.t.=.1.....R.e.p.o.r.t.I.d.e.n.t.i.f.i.e.r.=.b.0.0.1.8.f.e.4.-.a.b.4.9.-.4.a.4.1.-.b.e.8.1.-.2.5.3.d.a.0.9.9.7.d.e.d.....I.n.t.e.g.r.a.t.o.r.R.e.p.o.r.t.I.d.e.n.t.i.f.i.e.r.=.8.2.7.a.4.e.5.9.-.7.4.d.4.-.4.4.f.e.-.9.5.5.8.-.a.7.3.3.5.a.b.1.0.c.1.a.....W.o.w.6.4.H.o.s.t.=.3.4.4.0.4.....W.o.w.6.4.G.u.e.s.t.=.3.3.2.....N.s.A.p.p.N.a.m.e.=.d.e.n.d.y...e.x.e.....A.p.p.S.e.s.s.i.o.n.G.u.i.d.=.0.0.0.0.1.b.7.4.-.0.0.0.1.-.0.0.1.4.-.f.d.d.5.-.d.6.c.4.6.3.9.1.d.a.0.1.....T.a.r.g.e.t.A.p.p.I.d.=.W.:.0.0.0.6.0.c.3.3.a.6.5.f.a.b.5.0.8.4.d.0.a.a.f.1.c.7.6.0.f.a.c.c.8.1.5.5.0.0.0.0.0.8.0.1.!.0.0.0.0.b.9.5.8.c.5.2.6.2.2.a.0.2.d.7.e.d.5.3.0.f.6.d.4.1.a.7.e.7.c.2.4.a.2.7.f.7.9.1.8.!.d.e.n.d.y...e.x.e.....T.a.r.g.e.t.A.p.p.V.e.r.=.2.0.2.4././.0.4././.1.2.:.1.2.:.3.6.:.0.6.!.0.!.d.e.n.d.y...e.x.e.....B.o.o.t.I.d.=.4.2.9.4.9.6.7.2.9.5.....S.e.r.v.

                                                                                                                                                                                          C:\ProgramData\Microsoft\Windows\WER\ReportQueue\AppCrash_dendy.exe_aa9f15d75e87e911f42a0812ef56c2977edd110_fa985918_b25a0167-156e-47da-8b75-d9e08c1e0ac7\Report.wer

                                                                                                                                                                                          Download File
                                                                                                                                                                                          Process:C:\Windows\SysWOW64\WerFault.exe
                                                                                                                                                                                          File Type:Unicode text, UTF-16, little-endian text, with CRLF line terminators
                                                                                                                                                                                          Category:dropped
                                                                                                                                                                                          Size (bytes):65536
                                                                                                                                                                                          Entropy (8bit):0.9030717358502968
                                                                                                                                                                                          Encrypted:false
                                                                                                                                                                                          SSDEEP:96:qgH2fAZAsvbqIoA7JfPQXIDcQnc6rCcEhcw3rb+HbHg/wWGTf3hOycoqzIPEVsJT:t2fAeb3056rwjsQZrMgzuiF8Z24IO8n
                                                                                                                                                                                          MD5:B854CA7FBC9E503B4F84073659DBB0DD
                                                                                                                                                                                          SHA1:7E3D2A33E8858735F58EBC369F8673FF95965761
                                                                                                                                                                                          SHA-256:C94CBBC59423AC47851D994153081B07003877E5F7C373FC7593D78339E0144E
                                                                                                                                                                                          SHA-512:37E37859A38002BC464FC37997685EBE2E67CB980759D2DA36927F360DE536390FA4484AB81B7BF977EA8F4778F3095D8F3097DCD9B29F58A96F36B18FDFF0ED
                                                                                                                                                                                          Malicious:false
                                                                                                                                                                                          Preview:..V.e.r.s.i.o.n.=.1.....E.v.e.n.t.T.y.p.e.=.A.P.P.C.R.A.S.H.....E.v.e.n.t.T.i.m.e.=.1.3.3.5.7.8.9.9.6.6.7.9.9.2.7.3.0.4.....R.e.p.o.r.t.T.y.p.e.=.2.....C.o.n.s.e.n.t.=.1.....R.e.p.o.r.t.I.d.e.n.t.i.f.i.e.r.=.b.2.5.a.0.1.6.7.-.1.5.6.e.-.4.7.d.a.-.8.b.7.5.-.d.9.e.0.8.c.1.e.0.a.c.7.....I.n.t.e.g.r.a.t.o.r.R.e.p.o.r.t.I.d.e.n.t.i.f.i.e.r.=.2.1.f.b.d.0.a.e.-.5.b.4.6.-.4.b.1.4.-.8.1.1.5.-.e.0.a.c.5.5.1.f.f.5.a.5.....W.o.w.6.4.H.o.s.t.=.3.4.4.0.4.....W.o.w.6.4.G.u.e.s.t.=.3.3.2.....N.s.A.p.p.N.a.m.e.=.d.e.n.d.y...e.x.e.....A.p.p.S.e.s.s.i.o.n.G.u.i.d.=.0.0.0.0.1.b.7.4.-.0.0.0.1.-.0.0.1.4.-.f.d.d.5.-.d.6.c.4.6.3.9.1.d.a.0.1.....T.a.r.g.e.t.A.p.p.I.d.=.W.:.0.0.0.6.0.c.3.3.a.6.5.f.a.b.5.0.8.4.d.0.a.a.f.1.c.7.6.0.f.a.c.c.8.1.5.5.0.0.0.0.0.8.0.1.!.0.0.0.0.b.9.5.8.c.5.2.6.2.2.a.0.2.d.7.e.d.5.3.0.f.6.d.4.1.a.7.e.7.c.2.4.a.2.7.f.7.9.1.8.!.d.e.n.d.y...e.x.e.....T.a.r.g.e.t.A.p.p.V.e.r.=.2.0.2.4././.0.4././.1.2.:.1.2.:.3.6.:.0.6.!.0.!.d.e.n.d.y...e.x.e.....B.o.o.t.I.d.=.4.2.9.4.9.6.7.2.9.5.....S.e.r.v.

                                                                                                                                                                                          C:\ProgramData\Microsoft\Windows\WER\Temp\WER37F1.tmp.dmp

                                                                                                                                                                                          Download File
                                                                                                                                                                                          Process:C:\Windows\SysWOW64\WerFault.exe
                                                                                                                                                                                          File Type:Mini DuMP crash report, 15 streams, Thu Apr 18 07:41:08 2024, 0x1205a4 type
                                                                                                                                                                                          Category:dropped
                                                                                                                                                                                          Size (bytes):55822
                                                                                                                                                                                          Entropy (8bit):2.215749897079498
                                                                                                                                                                                          Encrypted:false
                                                                                                                                                                                          SSDEEP:192:PxFEQXn9wHeR67d19OiQTv4i7dsqGPmS7buz/NfB8eWSlK8elCVXevRlACGuLj:5FEres7YZTvJdsqGP8NfBjelCYACG6
                                                                                                                                                                                          MD5:E8E21435B7D413A663E9DE38020FE4AD
                                                                                                                                                                                          SHA1:AD7CFE389522E102976B5F07648FE3320A782C8B
                                                                                                                                                                                          SHA-256:63352105120E2A6D51C735ECE3B279C06EF7A1D7C9F42E7899414FF27737D4D4
                                                                                                                                                                                          SHA-512:9BD4F4CB424FF7D52E0BD4DBD6A93327F180A69551CF29FA649B97D40C415E7D0E1A6C73CF4D1D672AF72B7F5BECEDBA8A96DC3CAB5D1FDE84F9F323549C64E0
                                                                                                                                                                                          Malicious:false
                                                                                                                                                                                          Preview:MDMP..a..... ......... f....................................$...l...........00..........`.......8...........T............!..........................|...............................................................................eJ..............GenuineIntel............T.......t..... f.............................0..2...............W... .E.u.r.o.p.e. .S.t.a.n.d.a.r.d. .T.i.m.e.......................................W... .E.u.r.o.p.e. .S.u.m.m.e.r. .T.i.m.e...........................................1.9.0.4.1...1...a.m.d.6.4.f.r.e...v.b._.r.e.l.e.a.s.e...1.9.1.2.0.6.-.1.4.0.6.......................................................................................................................................................................................................................................................................................................................................................................................................................................

                                                                                                                                                                                          C:\ProgramData\Microsoft\Windows\WER\Temp\WER390B.tmp.WERInternalMetadata.xml

                                                                                                                                                                                          Download File
                                                                                                                                                                                          Process:C:\Windows\SysWOW64\WerFault.exe
                                                                                                                                                                                          File Type:XML 1.0 document, Unicode text, UTF-16, little-endian text, with CRLF line terminators
                                                                                                                                                                                          Category:dropped
                                                                                                                                                                                          Size (bytes):8348
                                                                                                                                                                                          Entropy (8bit):3.6988399852167597
                                                                                                                                                                                          Encrypted:false
                                                                                                                                                                                          SSDEEP:192:R6l7wVeJW6q6z8y96Y9FSUGwgmf5XCpBM89bhcsf6Lm:R6lXJ26B6YfSUGwgmf5shvfP
                                                                                                                                                                                          MD5:2E9185905934D5C2038F40245DD47CF5
                                                                                                                                                                                          SHA1:F94F4BF1DB7F982276264C673DAF11C53D3C4AC8
                                                                                                                                                                                          SHA-256:C2C49C27C363D32769819DE3DBCB406DAAD0EC36E2BC91AA596D7D908D8D6429
                                                                                                                                                                                          SHA-512:44BE7D7C85A12BB17DC7BB3411C33F95A3BEDA2216FE6799E9D57FE4082746292A1B0ACDC6F6B2841C0AC15F25663CDCD3461BE4A25038236D9DD12627DC7B8A
                                                                                                                                                                                          Malicious:false
                                                                                                                                                                                          Preview:..<.?.x.m.l. .v.e.r.s.i.o.n.=.".1...0.". .e.n.c.o.d.i.n.g.=.".U.T.F.-.1.6.".?.>.....<.W.E.R.R.e.p.o.r.t.M.e.t.a.d.a.t.a.>.......<.O.S.V.e.r.s.i.o.n.I.n.f.o.r.m.a.t.i.o.n.>.........<.W.i.n.d.o.w.s.N.T.V.e.r.s.i.o.n.>.1.0...0.<./.W.i.n.d.o.w.s.N.T.V.e.r.s.i.o.n.>.........<.B.u.i.l.d.>.1.9.0.4.5.<./.B.u.i.l.d.>.........<.P.r.o.d.u.c.t.>.(.0.x.3.0.).:. .W.i.n.d.o.w.s. .1.0. .P.r.o.<./.P.r.o.d.u.c.t.>.........<.E.d.i.t.i.o.n.>.P.r.o.f.e.s.s.i.o.n.a.l.<./.E.d.i.t.i.o.n.>.........<.B.u.i.l.d.S.t.r.i.n.g.>.1.9.0.4.1...2.0.0.6...a.m.d.6.4.f.r.e...v.b._.r.e.l.e.a.s.e...1.9.1.2.0.6.-.1.4.0.6.<./.B.u.i.l.d.S.t.r.i.n.g.>.........<.R.e.v.i.s.i.o.n.>.2.0.0.6.<./.R.e.v.i.s.i.o.n.>.........<.F.l.a.v.o.r.>.M.u.l.t.i.p.r.o.c.e.s.s.o.r. .F.r.e.e.<./.F.l.a.v.o.r.>.........<.A.r.c.h.i.t.e.c.t.u.r.e.>.X.6.4.<./.A.r.c.h.i.t.e.c.t.u.r.e.>.........<.L.C.I.D.>.2.0.5.7.<./.L.C.I.D.>.......<./.O.S.V.e.r.s.i.o.n.I.n.f.o.r.m.a.t.i.o.n.>.......<.P.r.o.c.e.s.s.I.n.f.o.r.m.a.t.i.o.n.>.........<.P.i.d.>.7.0.2.8.<./.P.i.

                                                                                                                                                                                          C:\ProgramData\Microsoft\Windows\WER\Temp\WER396A.tmp.xml

                                                                                                                                                                                          Download File
                                                                                                                                                                                          Process:C:\Windows\SysWOW64\WerFault.exe
                                                                                                                                                                                          File Type:XML 1.0 document, ASCII text, with CRLF line terminators
                                                                                                                                                                                          Category:dropped
                                                                                                                                                                                          Size (bytes):4596
                                                                                                                                                                                          Entropy (8bit):4.470057847329761
                                                                                                                                                                                          Encrypted:false
                                                                                                                                                                                          SSDEEP:48:cvIwWl8zsMJg77aI9YDWpW8VY5xYm8M4Jq4FC+q8N7WTqcHjd:uIjfKI7ey7VewJk6TcHjd
                                                                                                                                                                                          MD5:EAB8965473A5F00241D6A594DC5995FB
                                                                                                                                                                                          SHA1:889C869FD35C3D584F9918DD64AEB335EB9E3CE4
                                                                                                                                                                                          SHA-256:27FD031243F6EAD4A6665E3B09A91FB4B3249695BEA584EE5DA59C7ED05E7095
                                                                                                                                                                                          SHA-512:6588C4C53DF69E24FA3685188AE96861E6D934877F9D6E0FC422D566501FDA36908394646B05BBDFB52BC6DF9954475D60D34DFCFDB6841D86889FA4844D72FB
                                                                                                                                                                                          Malicious:false
                                                                                                                                                                                          Preview:<?xml version="1.0" encoding="UTF-8" standalone="yes"?>..<req ver="2">.. <tlm>.. <src>.. <desc>.. <mach>.. <os>.. <arg nm="vermaj" val="10" />.. <arg nm="vermin" val="0" />.. <arg nm="verbld" val="19045" />.. <arg nm="vercsdbld" val="2006" />.. <arg nm="verqfe" val="2006" />.. <arg nm="csdbld" val="2006" />.. <arg nm="versp" val="0" />.. <arg nm="arch" val="9" />.. <arg nm="lcid" val="2057" />.. <arg nm="geoid" val="223" />.. <arg nm="sku" val="48" />.. <arg nm="domain" val="0" />.. <arg nm="prodsuite" val="256" />.. <arg nm="ntprodtype" val="1" />.. <arg nm="platid" val="2" />.. <arg nm="tmsi" val="285043" />.. <arg nm="osinsty" val="1" />.. <arg nm="iever" val="11.789.19041.0-11.0.1000" />.. <arg nm="portos" val="0" />.. <arg nm="ram" val="409

                                                                                                                                                                                          C:\ProgramData\Microsoft\Windows\WER\Temp\WER481D.tmp.dmp

                                                                                                                                                                                          Download File
                                                                                                                                                                                          Process:C:\Windows\SysWOW64\WerFault.exe
                                                                                                                                                                                          File Type:Mini DuMP crash report, 15 streams, Thu Apr 18 07:41:12 2024, 0x1205a4 type
                                                                                                                                                                                          Category:dropped
                                                                                                                                                                                          Size (bytes):54088
                                                                                                                                                                                          Entropy (8bit):2.1977983634580123
                                                                                                                                                                                          Encrypted:false
                                                                                                                                                                                          SSDEEP:192:7hV3Xu7DJTOGAhMROuQTv33F3T6A2uiONsef6S/3/KPHOneWSYAUNUB4iC6YXuf:TEZOGq9NTvxlsC6y3/KPHOpNLZ
                                                                                                                                                                                          MD5:1F337C70CD872B9A8639DCD8D19E95D4
                                                                                                                                                                                          SHA1:0D86BF5AAF11AF6077E004F3648A03F60862D147
                                                                                                                                                                                          SHA-256:5D17A6CCE4FCCE1EC8104E02163979645D51A057F8FAB82E36A7CE48A8A9E4AA
                                                                                                                                                                                          SHA-512:CED56D9215984C9551660EBEFA846F3F3A5F0B4A1D19D9AC6A695D0092A711F4524D4345FDE204F21D40D5BEC5E5F02421D55C5E6EC19A3389EE4B5E04F3748C
                                                                                                                                                                                          Malicious:false
                                                                                                                                                                                          Preview:MDMP..a..... ......... f....................................$...............&/..........`.......8...........T.......................................................................................................................eJ......<.......GenuineIntel............T.......T..... f.............................0..2...............W... .E.u.r.o.p.e. .S.t.a.n.d.a.r.d. .T.i.m.e.......................................W... .E.u.r.o.p.e. .S.u.m.m.e.r. .T.i.m.e...........................................1.9.0.4.1...1...a.m.d.6.4.f.r.e...v.b._.r.e.l.e.a.s.e...1.9.1.2.0.6.-.1.4.0.6.......................................................................................................................................................................................................................................................................................................................................................................................................................................

                                                                                                                                                                                          C:\ProgramData\Microsoft\Windows\WER\Temp\WER487C.tmp.WERInternalMetadata.xml

                                                                                                                                                                                          Download File
                                                                                                                                                                                          Process:C:\Windows\SysWOW64\WerFault.exe
                                                                                                                                                                                          File Type:XML 1.0 document, Unicode text, UTF-16, little-endian text, with CRLF line terminators
                                                                                                                                                                                          Category:dropped
                                                                                                                                                                                          Size (bytes):6340
                                                                                                                                                                                          Entropy (8bit):3.725901227853638
                                                                                                                                                                                          Encrypted:false
                                                                                                                                                                                          SSDEEP:192:R6l7wVeJRu760oxYiXXCpBT89bqfsf1wjOm:R6lXJU6dYYhqEfST
                                                                                                                                                                                          MD5:31F21297F2A787DA53C49F0F396060E9
                                                                                                                                                                                          SHA1:B53C27EA3282AA4068ADCB0982A4804C8DE70F7C
                                                                                                                                                                                          SHA-256:3BBC8D44109EBC0A0C4C8FF58C9A025EECEBD37AF7417D42B24BECC659AD05AF
                                                                                                                                                                                          SHA-512:C0086ACD2F9EB95060969213D98C1DFD23ED5CF7457B0BF124D6606C023C8BEFF42987B1E614D38543A9306DC15A79674895E41D7BA38BEC21E8E186DC00A529
                                                                                                                                                                                          Malicious:false
                                                                                                                                                                                          Preview:..<.?.x.m.l. .v.e.r.s.i.o.n.=.".1...0.". .e.n.c.o.d.i.n.g.=.".U.T.F.-.1.6.".?.>.....<.W.E.R.R.e.p.o.r.t.M.e.t.a.d.a.t.a.>.......<.O.S.V.e.r.s.i.o.n.I.n.f.o.r.m.a.t.i.o.n.>.........<.W.i.n.d.o.w.s.N.T.V.e.r.s.i.o.n.>.1.0...0.<./.W.i.n.d.o.w.s.N.T.V.e.r.s.i.o.n.>.........<.B.u.i.l.d.>.1.9.0.4.5.<./.B.u.i.l.d.>.........<.P.r.o.d.u.c.t.>.(.0.x.3.0.).:. .W.i.n.d.o.w.s. .1.0. .P.r.o.<./.P.r.o.d.u.c.t.>.........<.E.d.i.t.i.o.n.>.P.r.o.f.e.s.s.i.o.n.a.l.<./.E.d.i.t.i.o.n.>.........<.B.u.i.l.d.S.t.r.i.n.g.>.1.9.0.4.1...2.0.0.6...a.m.d.6.4.f.r.e...v.b._.r.e.l.e.a.s.e...1.9.1.2.0.6.-.1.4.0.6.<./.B.u.i.l.d.S.t.r.i.n.g.>.........<.R.e.v.i.s.i.o.n.>.2.0.0.6.<./.R.e.v.i.s.i.o.n.>.........<.F.l.a.v.o.r.>.M.u.l.t.i.p.r.o.c.e.s.s.o.r. .F.r.e.e.<./.F.l.a.v.o.r.>.........<.A.r.c.h.i.t.e.c.t.u.r.e.>.X.6.4.<./.A.r.c.h.i.t.e.c.t.u.r.e.>.........<.L.C.I.D.>.2.0.5.7.<./.L.C.I.D.>.......<./.O.S.V.e.r.s.i.o.n.I.n.f.o.r.m.a.t.i.o.n.>.......<.P.r.o.c.e.s.s.I.n.f.o.r.m.a.t.i.o.n.>.........<.P.i.d.>.6.9.9.6.<./.P.i.

                                                                                                                                                                                          C:\ProgramData\Microsoft\Windows\WER\Temp\WER489B.tmp.dmp

                                                                                                                                                                                          Download File
                                                                                                                                                                                          Process:C:\Windows\SysWOW64\WerFault.exe
                                                                                                                                                                                          File Type:Mini DuMP crash report, 15 streams, Thu Apr 18 07:41:12 2024, 0x1205a4 type
                                                                                                                                                                                          Category:dropped
                                                                                                                                                                                          Size (bytes):54524
                                                                                                                                                                                          Entropy (8bit):2.1917046961977245
                                                                                                                                                                                          Encrypted:false
                                                                                                                                                                                          SSDEEP:192:78lXSTHwzXLUswcROiQTvDr9sYj+8WV6sV2Q/N3KVL6eWSkiWYb3wXG4tQe:4tXLNwNZTvD7u6sV2MN3KVLgYzmae
                                                                                                                                                                                          MD5:0FDDF5852FD035C5D9E9EFC033C0BA33
                                                                                                                                                                                          SHA1:C8C71C8E61719516B1E9A925F7A1CD088C1C45F5
                                                                                                                                                                                          SHA-256:D0B72F6417F049E1E42DDFCF538A6F223EEDA728EFE1DB62B0E5474FE50D593D
                                                                                                                                                                                          SHA-512:354B6F73AA2DC9485FCA8F83D439FE25F46F8F94F6C7364C046C68AF91C72329F65DE777AB8DD26C3163093B0DEC98409008D5ED4B427DDDF5DC687EF07AB88D
                                                                                                                                                                                          Malicious:false
                                                                                                                                                                                          Preview:MDMP..a..... ......... f........................(...........$................/..........`.......8...........T...............4...........$...........................................................................................eJ..............GenuineIntel............T....... ..... f.............................0..2...............W... .E.u.r.o.p.e. .S.t.a.n.d.a.r.d. .T.i.m.e.......................................W... .E.u.r.o.p.e. .S.u.m.m.e.r. .T.i.m.e...........................................1.9.0.4.1...1...a.m.d.6.4.f.r.e...v.b._.r.e.l.e.a.s.e...1.9.1.2.0.6.-.1.4.0.6.......................................................................................................................................................................................................................................................................................................................................................................................................................................

                                                                                                                                                                                          C:\ProgramData\Microsoft\Windows\WER\Temp\WER489C.tmp.xml

                                                                                                                                                                                          Download File
                                                                                                                                                                                          Process:C:\Windows\SysWOW64\WerFault.exe
                                                                                                                                                                                          File Type:XML 1.0 document, ASCII text, with CRLF line terminators
                                                                                                                                                                                          Category:dropped
                                                                                                                                                                                          Size (bytes):4611
                                                                                                                                                                                          Entropy (8bit):4.493762161853503
                                                                                                                                                                                          Encrypted:false
                                                                                                                                                                                          SSDEEP:48:cvIwWl8zsMJg77aI9YDWpW8VYVYm8M4JS4Flx/+q8mWpIq3CLd:uIjfKI7ey7VhJjlQv3CLd
                                                                                                                                                                                          MD5:7AB123A945BD3CF63B430B57256002BE
                                                                                                                                                                                          SHA1:9DB618AA8E93604093FCA7E351F2C1B1E358F058
                                                                                                                                                                                          SHA-256:FB77DF1F09663AEB34AD80573CE670BB9A1C511444F29846182439AAB8E401FF
                                                                                                                                                                                          SHA-512:5559AF46D9D26687993E442346A9202A8A350DDB51C7A93F10CA3D8DBCB62482DBE520598583CD43D83819D232736B333B6ECCB17BE096EBDDB50CCE424D5DBC
                                                                                                                                                                                          Malicious:false
                                                                                                                                                                                          Preview:<?xml version="1.0" encoding="UTF-8" standalone="yes"?>..<req ver="2">.. <tlm>.. <src>.. <desc>.. <mach>.. <os>.. <arg nm="vermaj" val="10" />.. <arg nm="vermin" val="0" />.. <arg nm="verbld" val="19045" />.. <arg nm="vercsdbld" val="2006" />.. <arg nm="verqfe" val="2006" />.. <arg nm="csdbld" val="2006" />.. <arg nm="versp" val="0" />.. <arg nm="arch" val="9" />.. <arg nm="lcid" val="2057" />.. <arg nm="geoid" val="223" />.. <arg nm="sku" val="48" />.. <arg nm="domain" val="0" />.. <arg nm="prodsuite" val="256" />.. <arg nm="ntprodtype" val="1" />.. <arg nm="platid" val="2" />.. <arg nm="tmsi" val="285043" />.. <arg nm="osinsty" val="1" />.. <arg nm="iever" val="11.789.19041.0-11.0.1000" />.. <arg nm="portos" val="0" />.. <arg nm="ram" val="409

                                                                                                                                                                                          C:\ProgramData\Microsoft\Windows\WER\Temp\WER4987.tmp.WERInternalMetadata.xml

                                                                                                                                                                                          Download File
                                                                                                                                                                                          Process:C:\Windows\SysWOW64\WerFault.exe
                                                                                                                                                                                          File Type:XML 1.0 document, Unicode text, UTF-16, little-endian text, with CRLF line terminators
                                                                                                                                                                                          Category:dropped
                                                                                                                                                                                          Size (bytes):6340
                                                                                                                                                                                          Entropy (8bit):3.725406747922147
                                                                                                                                                                                          Encrypted:false
                                                                                                                                                                                          SSDEEP:192:R6l7wVeJpu86CrzUYiXXCpBp89bq+sfVOm:R6lXJb6iUYYTq9fl
                                                                                                                                                                                          MD5:0C309BE44B49DE4F7745A445E77B02BA
                                                                                                                                                                                          SHA1:187349E98643383C89E6D42BABD1D33F2EE287BD
                                                                                                                                                                                          SHA-256:93A55916C334F3A3AF604D8A013694B76E4C9E0EB70CB8D0EF001BDDB32D8856
                                                                                                                                                                                          SHA-512:3C5977E6DA38B2A1A2D5E5E45E26DF16D2F3734652747CEAA7C27465A929F3FC75FFD7D5705E86E8736A69A16B71036E6A07B314C1BBAE8C097B0FB995B18440
                                                                                                                                                                                          Malicious:false
                                                                                                                                                                                          Preview:..<.?.x.m.l. .v.e.r.s.i.o.n.=.".1...0.". .e.n.c.o.d.i.n.g.=.".U.T.F.-.1.6.".?.>.....<.W.E.R.R.e.p.o.r.t.M.e.t.a.d.a.t.a.>.......<.O.S.V.e.r.s.i.o.n.I.n.f.o.r.m.a.t.i.o.n.>.........<.W.i.n.d.o.w.s.N.T.V.e.r.s.i.o.n.>.1.0...0.<./.W.i.n.d.o.w.s.N.T.V.e.r.s.i.o.n.>.........<.B.u.i.l.d.>.1.9.0.4.5.<./.B.u.i.l.d.>.........<.P.r.o.d.u.c.t.>.(.0.x.3.0.).:. .W.i.n.d.o.w.s. .1.0. .P.r.o.<./.P.r.o.d.u.c.t.>.........<.E.d.i.t.i.o.n.>.P.r.o.f.e.s.s.i.o.n.a.l.<./.E.d.i.t.i.o.n.>.........<.B.u.i.l.d.S.t.r.i.n.g.>.1.9.0.4.1...2.0.0.6...a.m.d.6.4.f.r.e...v.b._.r.e.l.e.a.s.e...1.9.1.2.0.6.-.1.4.0.6.<./.B.u.i.l.d.S.t.r.i.n.g.>.........<.R.e.v.i.s.i.o.n.>.2.0.0.6.<./.R.e.v.i.s.i.o.n.>.........<.F.l.a.v.o.r.>.M.u.l.t.i.p.r.o.c.e.s.s.o.r. .F.r.e.e.<./.F.l.a.v.o.r.>.........<.A.r.c.h.i.t.e.c.t.u.r.e.>.X.6.4.<./.A.r.c.h.i.t.e.c.t.u.r.e.>.........<.L.C.I.D.>.2.0.5.7.<./.L.C.I.D.>.......<./.O.S.V.e.r.s.i.o.n.I.n.f.o.r.m.a.t.i.o.n.>.......<.P.r.o.c.e.s.s.I.n.f.o.r.m.a.t.i.o.n.>.........<.P.i.d.>.6.6.8.8.<./.P.i.

                                                                                                                                                                                          C:\ProgramData\Microsoft\Windows\WER\Temp\WER49B6.tmp.xml

                                                                                                                                                                                          Download File
                                                                                                                                                                                          Process:C:\Windows\SysWOW64\WerFault.exe
                                                                                                                                                                                          File Type:XML 1.0 document, ASCII text, with CRLF line terminators
                                                                                                                                                                                          Category:dropped
                                                                                                                                                                                          Size (bytes):4611
                                                                                                                                                                                          Entropy (8bit):4.495693265904442
                                                                                                                                                                                          Encrypted:false
                                                                                                                                                                                          SSDEEP:48:cvIwWl8zsMJg77aI9YDWpW8VYOOoYm8M4JS4FOe+q8mbUopIq3Cydd:uIjfKI7ey7VtyJsezv3Cydd
                                                                                                                                                                                          MD5:31AF8816E6ACD9DE211A6DCC1E0F9F24
                                                                                                                                                                                          SHA1:ABFBA84EC83A4FB0FFE322580FED79AD5B95C5A7
                                                                                                                                                                                          SHA-256:007B560DBD89B77ADF6896F17D3D9F52B876C8406DC6E6C981393BB65FAC3E95
                                                                                                                                                                                          SHA-512:4E420F3D1AB7B3D0C47A2AFF84D40DAE25592501714A8C5269A91B2FCF84BE015E966A8FA1EB49407981411AB58BA52812A9635E164EAA0199FDA4935F5127BF
                                                                                                                                                                                          Malicious:false
                                                                                                                                                                                          Preview:<?xml version="1.0" encoding="UTF-8" standalone="yes"?>..<req ver="2">.. <tlm>.. <src>.. <desc>.. <mach>.. <os>.. <arg nm="vermaj" val="10" />.. <arg nm="vermin" val="0" />.. <arg nm="verbld" val="19045" />.. <arg nm="vercsdbld" val="2006" />.. <arg nm="verqfe" val="2006" />.. <arg nm="csdbld" val="2006" />.. <arg nm="versp" val="0" />.. <arg nm="arch" val="9" />.. <arg nm="lcid" val="2057" />.. <arg nm="geoid" val="223" />.. <arg nm="sku" val="48" />.. <arg nm="domain" val="0" />.. <arg nm="prodsuite" val="256" />.. <arg nm="ntprodtype" val="1" />.. <arg nm="platid" val="2" />.. <arg nm="tmsi" val="285043" />.. <arg nm="osinsty" val="1" />.. <arg nm="iever" val="11.789.19041.0-11.0.1000" />.. <arg nm="portos" val="0" />.. <arg nm="ram" val="409

                                                                                                                                                                                          C:\ProgramData\Microsoft\Windows\WER\Temp\WER59FF.tmp.dmp

                                                                                                                                                                                          Download File
                                                                                                                                                                                          Process:C:\Windows\SysWOW64\WerFault.exe
                                                                                                                                                                                          File Type:Mini DuMP crash report, 15 streams, Thu Apr 18 07:41:16 2024, 0x1205a4 type
                                                                                                                                                                                          Category:dropped
                                                                                                                                                                                          Size (bytes):67426
                                                                                                                                                                                          Entropy (8bit):2.261975042628922
                                                                                                                                                                                          Encrypted:false
                                                                                                                                                                                          SSDEEP:384:L4DbMuZaLZTvk3ERsL8aeJYb2jUbV14eIFwxLYZf:LIMHLZTvk3um822QVdxa
                                                                                                                                                                                          MD5:449DD8B073A74DE708E2661031320F87
                                                                                                                                                                                          SHA1:E08B2C40B5C5FED09F05E2DF1C0AA861BBC3D6BD
                                                                                                                                                                                          SHA-256:B40B7900F7316CB553A868E68EA6DB984B665C29C0706D3D171D375BA93EBA1B
                                                                                                                                                                                          SHA-512:E10BCBF36E1852A8DA731D99D85337BE0CBBB89B98DE075FA1648D0DFCC10F53565D308E71B54FF623B3523786E69CF9B3610FDCEA986E5A16A762FF2C5722CE
                                                                                                                                                                                          Malicious:false
                                                                                                                                                                                          Preview:MDMP..a..... ......... f........................l...........<...t.......4....4..........`.......8...........T............%..........................................................................................................eJ......4.......GenuineIntel............T.......t..... f.............................0..2...............W... .E.u.r.o.p.e. .S.t.a.n.d.a.r.d. .T.i.m.e.......................................W... .E.u.r.o.p.e. .S.u.m.m.e.r. .T.i.m.e...........................................1.9.0.4.1...1...a.m.d.6.4.f.r.e...v.b._.r.e.l.e.a.s.e...1.9.1.2.0.6.-.1.4.0.6.......................................................................................................................................................................................................................................................................................................................................................................................................................................

                                                                                                                                                                                          C:\ProgramData\Microsoft\Windows\WER\Temp\WER5A5E.tmp.WERInternalMetadata.xml

                                                                                                                                                                                          Download File
                                                                                                                                                                                          Process:C:\Windows\SysWOW64\WerFault.exe
                                                                                                                                                                                          File Type:XML 1.0 document, Unicode text, UTF-16, little-endian text, with CRLF line terminators
                                                                                                                                                                                          Category:dropped
                                                                                                                                                                                          Size (bytes):8350
                                                                                                                                                                                          Entropy (8bit):3.7016173691267147
                                                                                                                                                                                          Encrypted:false
                                                                                                                                                                                          SSDEEP:192:R6l7wVeJW26k6Y9nSUKmgmf5XCpBt89bOcsf0qam:R6lXJf6k6YNSUKmgmf5fOvfb
                                                                                                                                                                                          MD5:5D929063D2B4CD58F47B987AED7BF646
                                                                                                                                                                                          SHA1:771EB53CE245F84A0AD5BF9ED61B1A8C37CC45EA
                                                                                                                                                                                          SHA-256:05764EDE5EB3D55FC8AB8FADD774FAC58934B822B2127E791009EC509624D62B
                                                                                                                                                                                          SHA-512:9511CFB04BB0B68AA3CA79F8A07E2848AD6AFA8FF0A69E4D18B83A9620D0DA1CDA54720B6754C8C9E4A5D4589BAC474153A61415A7790A6C5E4119A09CD71853
                                                                                                                                                                                          Malicious:false
                                                                                                                                                                                          Preview:..<.?.x.m.l. .v.e.r.s.i.o.n.=.".1...0.". .e.n.c.o.d.i.n.g.=.".U.T.F.-.1.6.".?.>.....<.W.E.R.R.e.p.o.r.t.M.e.t.a.d.a.t.a.>.......<.O.S.V.e.r.s.i.o.n.I.n.f.o.r.m.a.t.i.o.n.>.........<.W.i.n.d.o.w.s.N.T.V.e.r.s.i.o.n.>.1.0...0.<./.W.i.n.d.o.w.s.N.T.V.e.r.s.i.o.n.>.........<.B.u.i.l.d.>.1.9.0.4.5.<./.B.u.i.l.d.>.........<.P.r.o.d.u.c.t.>.(.0.x.3.0.).:. .W.i.n.d.o.w.s. .1.0. .P.r.o.<./.P.r.o.d.u.c.t.>.........<.E.d.i.t.i.o.n.>.P.r.o.f.e.s.s.i.o.n.a.l.<./.E.d.i.t.i.o.n.>.........<.B.u.i.l.d.S.t.r.i.n.g.>.1.9.0.4.1...2.0.0.6...a.m.d.6.4.f.r.e...v.b._.r.e.l.e.a.s.e...1.9.1.2.0.6.-.1.4.0.6.<./.B.u.i.l.d.S.t.r.i.n.g.>.........<.R.e.v.i.s.i.o.n.>.2.0.0.6.<./.R.e.v.i.s.i.o.n.>.........<.F.l.a.v.o.r.>.M.u.l.t.i.p.r.o.c.e.s.s.o.r. .F.r.e.e.<./.F.l.a.v.o.r.>.........<.A.r.c.h.i.t.e.c.t.u.r.e.>.X.6.4.<./.A.r.c.h.i.t.e.c.t.u.r.e.>.........<.L.C.I.D.>.2.0.5.7.<./.L.C.I.D.>.......<./.O.S.V.e.r.s.i.o.n.I.n.f.o.r.m.a.t.i.o.n.>.......<.P.r.o.c.e.s.s.I.n.f.o.r.m.a.t.i.o.n.>.........<.P.i.d.>.7.0.2.8.<./.P.i.

                                                                                                                                                                                          C:\ProgramData\Microsoft\Windows\WER\Temp\WER5A7E.tmp.xml

                                                                                                                                                                                          Download File
                                                                                                                                                                                          Process:C:\Windows\SysWOW64\WerFault.exe
                                                                                                                                                                                          File Type:XML 1.0 document, ASCII text, with CRLF line terminators
                                                                                                                                                                                          Category:dropped
                                                                                                                                                                                          Size (bytes):4596
                                                                                                                                                                                          Entropy (8bit):4.4708005577497785
                                                                                                                                                                                          Encrypted:false
                                                                                                                                                                                          SSDEEP:48:cvIwWl8zsMJg77aI9YDWpW8VYJYm8M4Jq4FR+q8N7WTqcHjd:uIjfKI7ey7VxJj6TcHjd
                                                                                                                                                                                          MD5:95091E488FB7F3438318428BB38B56A1
                                                                                                                                                                                          SHA1:3E68B92F5EAF2133D976266D57F6211DF63340ED
                                                                                                                                                                                          SHA-256:7C13F1455EF0B9E4750FF00E208907D19FADF0C6E5BB4B06A2C180CA82FEADA0
                                                                                                                                                                                          SHA-512:EDB113B9300DD50F923EC44B0DC583B5DFBAA062B4F2F8C61588EFF1FF5F86FEFD640E3D41D769B5FADDEE9195F5F24E609CA9B6C2F0A01E5136D4D34832CD70
                                                                                                                                                                                          Malicious:false
                                                                                                                                                                                          Preview:<?xml version="1.0" encoding="UTF-8" standalone="yes"?>..<req ver="2">.. <tlm>.. <src>.. <desc>.. <mach>.. <os>.. <arg nm="vermaj" val="10" />.. <arg nm="vermin" val="0" />.. <arg nm="verbld" val="19045" />.. <arg nm="vercsdbld" val="2006" />.. <arg nm="verqfe" val="2006" />.. <arg nm="csdbld" val="2006" />.. <arg nm="versp" val="0" />.. <arg nm="arch" val="9" />.. <arg nm="lcid" val="2057" />.. <arg nm="geoid" val="223" />.. <arg nm="sku" val="48" />.. <arg nm="domain" val="0" />.. <arg nm="prodsuite" val="256" />.. <arg nm="ntprodtype" val="1" />.. <arg nm="platid" val="2" />.. <arg nm="tmsi" val="285043" />.. <arg nm="osinsty" val="1" />.. <arg nm="iever" val="11.789.19041.0-11.0.1000" />.. <arg nm="portos" val="0" />.. <arg nm="ram" val="409

                                                                                                                                                                                          C:\ProgramData\Microsoft\Windows\WER\Temp\WER5CDE.tmp.dmp

                                                                                                                                                                                          Download File
                                                                                                                                                                                          Process:C:\Windows\SysWOW64\WerFault.exe
                                                                                                                                                                                          File Type:Mini DuMP crash report, 15 streams, Thu Apr 18 07:41:17 2024, 0x1205a4 type
                                                                                                                                                                                          Category:dropped
                                                                                                                                                                                          Size (bytes):73658
                                                                                                                                                                                          Entropy (8bit):2.211965102690138
                                                                                                                                                                                          Encrypted:false
                                                                                                                                                                                          SSDEEP:384:tOE79LUU0CZTv4T95sNSXuib2jUbzOezxTdj+SdR:tZJ0CZTve95VuC2Qznis
                                                                                                                                                                                          MD5:20C217E4528F4D17157B671E33CD6336
                                                                                                                                                                                          SHA1:1DAC38F0EB7E09390B6415AC4EFD304249A0EC49
                                                                                                                                                                                          SHA-256:F9121E92705D8147C2B1B6026FBA2817D08DBD78A469FE01D03BF2EC3C5374F6
                                                                                                                                                                                          SHA-512:F235B1B6A316AC3BB594BFE1058A7A0BE9201622E41D00658B4D1692B505A975BE5CE1AA116104DDCF157A37E89D7F4BCE7FAE2023B18B2B595355A8F022ED60
                                                                                                                                                                                          Malicious:false
                                                                                                                                                                                          Preview:MDMP..a..... ......... f............$...............8.......<................8..........`.......8...........T............&..:...........L...........8...............................................................................eJ..............GenuineIntel............T.......t..... f.............................0..2...............W... .E.u.r.o.p.e. .S.t.a.n.d.a.r.d. .T.i.m.e.......................................W... .E.u.r.o.p.e. .S.u.m.m.e.r. .T.i.m.e...........................................1.9.0.4.1...1...a.m.d.6.4.f.r.e...v.b._.r.e.l.e.a.s.e...1.9.1.2.0.6.-.1.4.0.6.......................................................................................................................................................................................................................................................................................................................................................................................................................................

                                                                                                                                                                                          C:\ProgramData\Microsoft\Windows\WER\Temp\WER5E08.tmp.WERInternalMetadata.xml

                                                                                                                                                                                          Download File
                                                                                                                                                                                          Process:C:\Windows\SysWOW64\WerFault.exe
                                                                                                                                                                                          File Type:XML 1.0 document, Unicode text, UTF-16, little-endian text, with CRLF line terminators
                                                                                                                                                                                          Category:dropped
                                                                                                                                                                                          Size (bytes):8350
                                                                                                                                                                                          Entropy (8bit):3.69951242656345
                                                                                                                                                                                          Encrypted:false
                                                                                                                                                                                          SSDEEP:192:R6l7wVeJWG6Alu6Y9WSUjR4gmf5XCpBM89bXcsfbdm:R6lXJP6b6YMSUjugmf5sXvfM
                                                                                                                                                                                          MD5:0B1B50E4909863960CF85317298BD67F
                                                                                                                                                                                          SHA1:3F155B77E8F80DF77058DF9A584D01F73431ED41
                                                                                                                                                                                          SHA-256:FFD9A5C0E401C83C49FF5885BEF390A75B39AFCA930D6916D4DBB09D8A16C128
                                                                                                                                                                                          SHA-512:C2E5CB2AE29581A7864DAFEEB3173E3BE41DBB9C877388D3056623DA6FB78466BF768E206A3B9ADDD5337C27988D1B39E78F447FD28257AA94F2BC7CFBDE3780
                                                                                                                                                                                          Malicious:false
                                                                                                                                                                                          Preview:..<.?.x.m.l. .v.e.r.s.i.o.n.=.".1...0.". .e.n.c.o.d.i.n.g.=.".U.T.F.-.1.6.".?.>.....<.W.E.R.R.e.p.o.r.t.M.e.t.a.d.a.t.a.>.......<.O.S.V.e.r.s.i.o.n.I.n.f.o.r.m.a.t.i.o.n.>.........<.W.i.n.d.o.w.s.N.T.V.e.r.s.i.o.n.>.1.0...0.<./.W.i.n.d.o.w.s.N.T.V.e.r.s.i.o.n.>.........<.B.u.i.l.d.>.1.9.0.4.5.<./.B.u.i.l.d.>.........<.P.r.o.d.u.c.t.>.(.0.x.3.0.).:. .W.i.n.d.o.w.s. .1.0. .P.r.o.<./.P.r.o.d.u.c.t.>.........<.E.d.i.t.i.o.n.>.P.r.o.f.e.s.s.i.o.n.a.l.<./.E.d.i.t.i.o.n.>.........<.B.u.i.l.d.S.t.r.i.n.g.>.1.9.0.4.1...2.0.0.6...a.m.d.6.4.f.r.e...v.b._.r.e.l.e.a.s.e...1.9.1.2.0.6.-.1.4.0.6.<./.B.u.i.l.d.S.t.r.i.n.g.>.........<.R.e.v.i.s.i.o.n.>.2.0.0.6.<./.R.e.v.i.s.i.o.n.>.........<.F.l.a.v.o.r.>.M.u.l.t.i.p.r.o.c.e.s.s.o.r. .F.r.e.e.<./.F.l.a.v.o.r.>.........<.A.r.c.h.i.t.e.c.t.u.r.e.>.X.6.4.<./.A.r.c.h.i.t.e.c.t.u.r.e.>.........<.L.C.I.D.>.2.0.5.7.<./.L.C.I.D.>.......<./.O.S.V.e.r.s.i.o.n.I.n.f.o.r.m.a.t.i.o.n.>.......<.P.r.o.c.e.s.s.I.n.f.o.r.m.a.t.i.o.n.>.........<.P.i.d.>.7.0.2.8.<./.P.i.

                                                                                                                                                                                          C:\ProgramData\Microsoft\Windows\WER\Temp\WER5E28.tmp.xml

                                                                                                                                                                                          Download File
                                                                                                                                                                                          Process:C:\Windows\SysWOW64\WerFault.exe
                                                                                                                                                                                          File Type:XML 1.0 document, ASCII text, with CRLF line terminators
                                                                                                                                                                                          Category:dropped
                                                                                                                                                                                          Size (bytes):4596
                                                                                                                                                                                          Entropy (8bit):4.468625541018724
                                                                                                                                                                                          Encrypted:false
                                                                                                                                                                                          SSDEEP:48:cvIwWl8zsMJg77aI9YDWpW8VYG5Ym8M4Jq4FX+q8N7WTqcHjd:uIjfKI7ey7VqJ96TcHjd
                                                                                                                                                                                          MD5:19488622890D91CDD6A01713C9EA4663
                                                                                                                                                                                          SHA1:F81C5C84587D932F7934CBDBADCC05586B07D562
                                                                                                                                                                                          SHA-256:51DEFF10212A19518874427BF90DB3F7141D810328F8BB9854566479DCC78C8C
                                                                                                                                                                                          SHA-512:18E5D79EA9DA4598EEBBD5C1F32D76C374D711BE2502F31D38AADE68D6E7C217037AE51BB743DA695F302866E5CF3A5A63E9109955BFD273BD70535C00656ACE
                                                                                                                                                                                          Malicious:false
                                                                                                                                                                                          Preview:<?xml version="1.0" encoding="UTF-8" standalone="yes"?>..<req ver="2">.. <tlm>.. <src>.. <desc>.. <mach>.. <os>.. <arg nm="vermaj" val="10" />.. <arg nm="vermin" val="0" />.. <arg nm="verbld" val="19045" />.. <arg nm="vercsdbld" val="2006" />.. <arg nm="verqfe" val="2006" />.. <arg nm="csdbld" val="2006" />.. <arg nm="versp" val="0" />.. <arg nm="arch" val="9" />.. <arg nm="lcid" val="2057" />.. <arg nm="geoid" val="223" />.. <arg nm="sku" val="48" />.. <arg nm="domain" val="0" />.. <arg nm="prodsuite" val="256" />.. <arg nm="ntprodtype" val="1" />.. <arg nm="platid" val="2" />.. <arg nm="tmsi" val="285043" />.. <arg nm="osinsty" val="1" />.. <arg nm="iever" val="11.789.19041.0-11.0.1000" />.. <arg nm="portos" val="0" />.. <arg nm="ram" val="409

                                                                                                                                                                                          C:\ProgramData\Microsoft\Windows\WER\Temp\WER60B6.tmp.dmp

                                                                                                                                                                                          Download File
                                                                                                                                                                                          Process:C:\Windows\SysWOW64\WerFault.exe
                                                                                                                                                                                          File Type:Mini DuMP crash report, 15 streams, Thu Apr 18 07:41:18 2024, 0x1205a4 type
                                                                                                                                                                                          Category:dropped
                                                                                                                                                                                          Size (bytes):78452
                                                                                                                                                                                          Entropy (8bit):2.1283242913443066
                                                                                                                                                                                          Encrypted:false
                                                                                                                                                                                          SSDEEP:384:0DqsE2ZTvxRwRtsOXh9b2jUX50eW/8WA8kKRQ/:0+p2ZTvxORtnJ2c57se
                                                                                                                                                                                          MD5:7500C8DE4B1375152AB266089E6E0885
                                                                                                                                                                                          SHA1:37F65F29C3C35CAA720519AA494666DB7D0409D7
                                                                                                                                                                                          SHA-256:1E2D652AE9EBAB2AF8066949C54C1FC581F61A2A6A8BE215F7D1A3D2ED146D1A
                                                                                                                                                                                          SHA-512:B79EC39380BF125FB46F09B0E8DAC75B74F0D7453E1691C8E81C0F89AF5A74032D0BE024AA77506A1CFBD2324C4F79B45711CCC021FE3C7139C7096DDABA7F1A
                                                                                                                                                                                          Malicious:false
                                                                                                                                                                                          Preview:MDMP..a..... ......... f............T...............h.......<................<..........`.......8...........T............&..|.......................................................................................................eJ......D ......GenuineIntel............T.......t..... f.............................0..2...............W... .E.u.r.o.p.e. .S.t.a.n.d.a.r.d. .T.i.m.e.......................................W... .E.u.r.o.p.e. .S.u.m.m.e.r. .T.i.m.e...........................................1.9.0.4.1...1...a.m.d.6.4.f.r.e...v.b._.r.e.l.e.a.s.e...1.9.1.2.0.6.-.1.4.0.6.......................................................................................................................................................................................................................................................................................................................................................................................................................................

                                                                                                                                                                                          C:\ProgramData\Microsoft\Windows\WER\Temp\WER6163.tmp.WERInternalMetadata.xml

                                                                                                                                                                                          Download File
                                                                                                                                                                                          Process:C:\Windows\SysWOW64\WerFault.exe
                                                                                                                                                                                          File Type:XML 1.0 document, Unicode text, UTF-16, little-endian text, with CRLF line terminators
                                                                                                                                                                                          Category:dropped
                                                                                                                                                                                          Size (bytes):8350
                                                                                                                                                                                          Entropy (8bit):3.6994471983449753
                                                                                                                                                                                          Encrypted:false
                                                                                                                                                                                          SSDEEP:192:R6l7wVeJWJ6ss6Y9cSURngmf5XCpBy89bAcsfHKAm:R6lXJw6ss6YmSURngmf5eAvfHc
                                                                                                                                                                                          MD5:E2889841B4E315DCBA9CC827A830ED88
                                                                                                                                                                                          SHA1:DCA5344BD2F2F5384C8D3448CCF80439191A577F
                                                                                                                                                                                          SHA-256:14179BF13E36D5AC352FFE48F3DBE988FBFA760C26BF07097E809E5F715FBB94
                                                                                                                                                                                          SHA-512:E9068F48391BB9F850BC4E2B127B857C902C5D68D9D3A64A644E7F5371730A1F6B36297C6649D75F87BEEDE726ECF7908556C6E522C948A487E87A5CDC5DD1A6
                                                                                                                                                                                          Malicious:false
                                                                                                                                                                                          Preview:..<.?.x.m.l. .v.e.r.s.i.o.n.=.".1...0.". .e.n.c.o.d.i.n.g.=.".U.T.F.-.1.6.".?.>.....<.W.E.R.R.e.p.o.r.t.M.e.t.a.d.a.t.a.>.......<.O.S.V.e.r.s.i.o.n.I.n.f.o.r.m.a.t.i.o.n.>.........<.W.i.n.d.o.w.s.N.T.V.e.r.s.i.o.n.>.1.0...0.<./.W.i.n.d.o.w.s.N.T.V.e.r.s.i.o.n.>.........<.B.u.i.l.d.>.1.9.0.4.5.<./.B.u.i.l.d.>.........<.P.r.o.d.u.c.t.>.(.0.x.3.0.).:. .W.i.n.d.o.w.s. .1.0. .P.r.o.<./.P.r.o.d.u.c.t.>.........<.E.d.i.t.i.o.n.>.P.r.o.f.e.s.s.i.o.n.a.l.<./.E.d.i.t.i.o.n.>.........<.B.u.i.l.d.S.t.r.i.n.g.>.1.9.0.4.1...2.0.0.6...a.m.d.6.4.f.r.e...v.b._.r.e.l.e.a.s.e...1.9.1.2.0.6.-.1.4.0.6.<./.B.u.i.l.d.S.t.r.i.n.g.>.........<.R.e.v.i.s.i.o.n.>.2.0.0.6.<./.R.e.v.i.s.i.o.n.>.........<.F.l.a.v.o.r.>.M.u.l.t.i.p.r.o.c.e.s.s.o.r. .F.r.e.e.<./.F.l.a.v.o.r.>.........<.A.r.c.h.i.t.e.c.t.u.r.e.>.X.6.4.<./.A.r.c.h.i.t.e.c.t.u.r.e.>.........<.L.C.I.D.>.2.0.5.7.<./.L.C.I.D.>.......<./.O.S.V.e.r.s.i.o.n.I.n.f.o.r.m.a.t.i.o.n.>.......<.P.r.o.c.e.s.s.I.n.f.o.r.m.a.t.i.o.n.>.........<.P.i.d.>.7.0.2.8.<./.P.i.

                                                                                                                                                                                          C:\ProgramData\Microsoft\Windows\WER\Temp\WER61C2.tmp.xml

                                                                                                                                                                                          Download File
                                                                                                                                                                                          Process:C:\Windows\SysWOW64\WerFault.exe
                                                                                                                                                                                          File Type:XML 1.0 document, ASCII text, with CRLF line terminators
                                                                                                                                                                                          Category:dropped
                                                                                                                                                                                          Size (bytes):4596
                                                                                                                                                                                          Entropy (8bit):4.46977177370598
                                                                                                                                                                                          Encrypted:false
                                                                                                                                                                                          SSDEEP:48:cvIwWl8zshJg77aI9YDWpW8VYPYm8M4Jq4Fsi+q8N7WTqcHjd:uIjfzI7ey7VLJWi6TcHjd
                                                                                                                                                                                          MD5:F4F9494A1D985C14DD2F73AE1C779B4C
                                                                                                                                                                                          SHA1:82B91CE5F94F80E0B8E6C5820228E846AF0402BF
                                                                                                                                                                                          SHA-256:F8E348B56C7ACEA21D03164BEB77A0FE5B5A79B0DB09E636B6C55DF3ED9B73C3
                                                                                                                                                                                          SHA-512:3C73665F4D64AF05ECE7C192186C6A7E1DE404938B159EA6FC438FAD1CE1F568C50114D2CF65017481D95977A99B2826411B412B59652D5153B45CA73F4C8123
                                                                                                                                                                                          Malicious:false
                                                                                                                                                                                          Preview:<?xml version="1.0" encoding="UTF-8" standalone="yes"?>..<req ver="2">.. <tlm>.. <src>.. <desc>.. <mach>.. <os>.. <arg nm="vermaj" val="10" />.. <arg nm="vermin" val="0" />.. <arg nm="verbld" val="19045" />.. <arg nm="vercsdbld" val="2006" />.. <arg nm="verqfe" val="2006" />.. <arg nm="csdbld" val="2006" />.. <arg nm="versp" val="0" />.. <arg nm="arch" val="9" />.. <arg nm="lcid" val="2057" />.. <arg nm="geoid" val="223" />.. <arg nm="sku" val="48" />.. <arg nm="domain" val="0" />.. <arg nm="prodsuite" val="256" />.. <arg nm="ntprodtype" val="1" />.. <arg nm="platid" val="2" />.. <arg nm="tmsi" val="285044" />.. <arg nm="osinsty" val="1" />.. <arg nm="iever" val="11.789.19041.0-11.0.1000" />.. <arg nm="portos" val="0" />.. <arg nm="ram" val="409

                                                                                                                                                                                          C:\ProgramData\Microsoft\Windows\WER\Temp\WER671F.tmp.dmp

                                                                                                                                                                                          Download File
                                                                                                                                                                                          Process:C:\Windows\SysWOW64\WerFault.exe
                                                                                                                                                                                          File Type:Mini DuMP crash report, 15 streams, Thu Apr 18 07:41:21 2024, 0x1205a4 type
                                                                                                                                                                                          Category:dropped
                                                                                                                                                                                          Size (bytes):92162
                                                                                                                                                                                          Entropy (8bit):2.2546870648958346
                                                                                                                                                                                          Encrypted:false
                                                                                                                                                                                          SSDEEP:384:hb9p4UI8ZTvCqOo+swoot+mTiM+h6tFdjwX5+seW2IExAuYL3FQg:hxmUfZTvlOL/iM+ItFdY5kAX3h
                                                                                                                                                                                          MD5:7A74C4E195F5FD34FEC51A4E4DC64207
                                                                                                                                                                                          SHA1:F5793D8898825426459A8C985A635783CB419AD9
                                                                                                                                                                                          SHA-256:08EFA06B05028B94D0EC0BC6431BC2BF98D2DA7E8C269CC46B20AC9EB9833758
                                                                                                                                                                                          SHA-512:DD14B999B854AB467FF6BB9EF505D8A976EA958836D1EF46E723F6D4D7A1F35852C0C4205AEE9B7D05795193906C3FB50D4A44C5A995EC1DDA6F4C4863E42F49
                                                                                                                                                                                          Malicious:false
                                                                                                                                                                                          Preview:MDMP..a..... ......... f....................................<................?..........`.......8...........T............,...;......................................................................................................eJ......t ......GenuineIntel............T.......t..... f.............................0..2...............W... .E.u.r.o.p.e. .S.t.a.n.d.a.r.d. .T.i.m.e.......................................W... .E.u.r.o.p.e. .S.u.m.m.e.r. .T.i.m.e...........................................1.9.0.4.1...1...a.m.d.6.4.f.r.e...v.b._.r.e.l.e.a.s.e...1.9.1.2.0.6.-.1.4.0.6.......................................................................................................................................................................................................................................................................................................................................................................................................................................

                                                                                                                                                                                          C:\ProgramData\Microsoft\Windows\WER\Temp\WER6EE0.tmp.WERInternalMetadata.xml

                                                                                                                                                                                          Download File
                                                                                                                                                                                          Process:C:\Windows\SysWOW64\WerFault.exe
                                                                                                                                                                                          File Type:XML 1.0 document, Unicode text, UTF-16, little-endian text, with CRLF line terminators
                                                                                                                                                                                          Category:dropped
                                                                                                                                                                                          Size (bytes):8350
                                                                                                                                                                                          Entropy (8bit):3.702512505464872
                                                                                                                                                                                          Encrypted:false
                                                                                                                                                                                          SSDEEP:192:R6l7wVeJWV696Y9iSU5+ggmf5XCpB089bZcsfHnTm:R6lXJ8696YISU5Zgmf50ZvfHK
                                                                                                                                                                                          MD5:3844250097AEED7CF22595CDA3BAF181
                                                                                                                                                                                          SHA1:796B90AF955A5C3EDDE818FD5D8D2DE509DF939C
                                                                                                                                                                                          SHA-256:E98661BC155FCEA6EA48AF64506D436077939FF4CD9994D010E3B78A7F69EF68
                                                                                                                                                                                          SHA-512:7CE91A838D9EAABBEEED62DC84D40DEBA0A457F788A57EBFDFC4A1391FA8C2642FCA63A4338BE3ED7440A69C578D53444020DA35B0CC528C09E88B159053415C
                                                                                                                                                                                          Malicious:false
                                                                                                                                                                                          Preview:..<.?.x.m.l. .v.e.r.s.i.o.n.=.".1...0.". .e.n.c.o.d.i.n.g.=.".U.T.F.-.1.6.".?.>.....<.W.E.R.R.e.p.o.r.t.M.e.t.a.d.a.t.a.>.......<.O.S.V.e.r.s.i.o.n.I.n.f.o.r.m.a.t.i.o.n.>.........<.W.i.n.d.o.w.s.N.T.V.e.r.s.i.o.n.>.1.0...0.<./.W.i.n.d.o.w.s.N.T.V.e.r.s.i.o.n.>.........<.B.u.i.l.d.>.1.9.0.4.5.<./.B.u.i.l.d.>.........<.P.r.o.d.u.c.t.>.(.0.x.3.0.).:. .W.i.n.d.o.w.s. .1.0. .P.r.o.<./.P.r.o.d.u.c.t.>.........<.E.d.i.t.i.o.n.>.P.r.o.f.e.s.s.i.o.n.a.l.<./.E.d.i.t.i.o.n.>.........<.B.u.i.l.d.S.t.r.i.n.g.>.1.9.0.4.1...2.0.0.6...a.m.d.6.4.f.r.e...v.b._.r.e.l.e.a.s.e...1.9.1.2.0.6.-.1.4.0.6.<./.B.u.i.l.d.S.t.r.i.n.g.>.........<.R.e.v.i.s.i.o.n.>.2.0.0.6.<./.R.e.v.i.s.i.o.n.>.........<.F.l.a.v.o.r.>.M.u.l.t.i.p.r.o.c.e.s.s.o.r. .F.r.e.e.<./.F.l.a.v.o.r.>.........<.A.r.c.h.i.t.e.c.t.u.r.e.>.X.6.4.<./.A.r.c.h.i.t.e.c.t.u.r.e.>.........<.L.C.I.D.>.2.0.5.7.<./.L.C.I.D.>.......<./.O.S.V.e.r.s.i.o.n.I.n.f.o.r.m.a.t.i.o.n.>.......<.P.r.o.c.e.s.s.I.n.f.o.r.m.a.t.i.o.n.>.........<.P.i.d.>.7.0.2.8.<./.P.i.

                                                                                                                                                                                          C:\ProgramData\Microsoft\Windows\WER\Temp\WER6F8D.tmp.xml

                                                                                                                                                                                          Download File
                                                                                                                                                                                          Process:C:\Windows\SysWOW64\WerFault.exe
                                                                                                                                                                                          File Type:XML 1.0 document, ASCII text, with CRLF line terminators
                                                                                                                                                                                          Category:dropped
                                                                                                                                                                                          Size (bytes):4596
                                                                                                                                                                                          Entropy (8bit):4.4697047566036705
                                                                                                                                                                                          Encrypted:false
                                                                                                                                                                                          SSDEEP:48:cvIwWl8zshJg77aI9YDWpW8VY2Ym8M4Jq4Ff+q8N7WTqcHjd:uIjfzI7ey7VOJV6TcHjd
                                                                                                                                                                                          MD5:11377DEAA894AE8DC99A30DB6D8FFD44
                                                                                                                                                                                          SHA1:4D02B4460B00E308C35000515D3EC090A7DD7838
                                                                                                                                                                                          SHA-256:2D972B0BD3961325E6065422EAE937EF7147807D8BAE0331814E9E05E764649B
                                                                                                                                                                                          SHA-512:3693E61E519767DB26CE127A7EFA77B3BF1FD0233A89CD592BA42C0E868EE967117B2E30A8B1174E02E3105D4AF7A073AAF497A3DEA4CC4F115C0AEC43ED1FB5
                                                                                                                                                                                          Malicious:false
                                                                                                                                                                                          Preview:<?xml version="1.0" encoding="UTF-8" standalone="yes"?>..<req ver="2">.. <tlm>.. <src>.. <desc>.. <mach>.. <os>.. <arg nm="vermaj" val="10" />.. <arg nm="vermin" val="0" />.. <arg nm="verbld" val="19045" />.. <arg nm="vercsdbld" val="2006" />.. <arg nm="verqfe" val="2006" />.. <arg nm="csdbld" val="2006" />.. <arg nm="versp" val="0" />.. <arg nm="arch" val="9" />.. <arg nm="lcid" val="2057" />.. <arg nm="geoid" val="223" />.. <arg nm="sku" val="48" />.. <arg nm="domain" val="0" />.. <arg nm="prodsuite" val="256" />.. <arg nm="ntprodtype" val="1" />.. <arg nm="platid" val="2" />.. <arg nm="tmsi" val="285044" />.. <arg nm="osinsty" val="1" />.. <arg nm="iever" val="11.789.19041.0-11.0.1000" />.. <arg nm="portos" val="0" />.. <arg nm="ram" val="409

                                                                                                                                                                                          C:\ProgramData\Microsoft\Windows\WER\Temp\WER6FC9.tmp.dmp

                                                                                                                                                                                          Download File
                                                                                                                                                                                          Process:C:\Windows\SysWOW64\WerFault.exe
                                                                                                                                                                                          File Type:Mini DuMP crash report, 15 streams, Thu Apr 18 07:41:22 2024, 0x1205a4 type
                                                                                                                                                                                          Category:dropped
                                                                                                                                                                                          Size (bytes):66594
                                                                                                                                                                                          Entropy (8bit):2.291274042270963
                                                                                                                                                                                          Encrypted:false
                                                                                                                                                                                          SSDEEP:384:uhYR4WwNTvAXBPsLXps50YjJWKBGOWKWlxzMUk:QYaWwNTv+B0SyYwJOgxzMP
                                                                                                                                                                                          MD5:2B6723394AB1B2FE506E097D921351DC
                                                                                                                                                                                          SHA1:B75E7B62B0BD0398D9744E44E7B56A901676579B
                                                                                                                                                                                          SHA-256:44E96F2E84246B5696FD97D3D6EDF4865850FA088F87F6EF83A90DE4D19C15B6
                                                                                                                                                                                          SHA-512:2FB00B60C38012F6CBAFAC143C4C35FDB79FCA03411C8A837C2CE935121259BBA8B6ACD7E7A4440B15B9AC0E21A8D5FE732E682E22044449C140791B6E85D85B
                                                                                                                                                                                          Malicious:false
                                                                                                                                                                                          Preview:MDMP..a..... ......... f........................l...........<...t.......D....4..........`.......8...........T...........8#..........................................................................................................eJ......4.......GenuineIntel............T.......T..... f.............................0..2...............W... .E.u.r.o.p.e. .S.t.a.n.d.a.r.d. .T.i.m.e.......................................W... .E.u.r.o.p.e. .S.u.m.m.e.r. .T.i.m.e...........................................1.9.0.4.1...1...a.m.d.6.4.f.r.e...v.b._.r.e.l.e.a.s.e...1.9.1.2.0.6.-.1.4.0.6.......................................................................................................................................................................................................................................................................................................................................................................................................................................

                                                                                                                                                                                          C:\ProgramData\Microsoft\Windows\WER\Temp\WER6FE9.tmp.dmp

                                                                                                                                                                                          Download File
                                                                                                                                                                                          Process:C:\Windows\SysWOW64\WerFault.exe
                                                                                                                                                                                          File Type:Mini DuMP crash report, 15 streams, Thu Apr 18 07:41:22 2024, 0x1205a4 type
                                                                                                                                                                                          Category:dropped
                                                                                                                                                                                          Size (bytes):72002
                                                                                                                                                                                          Entropy (8bit):2.1487298432014805
                                                                                                                                                                                          Encrypted:false
                                                                                                                                                                                          SSDEEP:384:bDlG6SZTvmmwNqsC/TrAdNbnjyyKjv2e1sQp:bJpSZTvVsq1ADbnLkvCO
                                                                                                                                                                                          MD5:9E95DF04680783C51BAC4EF74D0D4CEC
                                                                                                                                                                                          SHA1:CB1EBE1E7A2C8D206B273C9876EF7FA7FB82BD6B
                                                                                                                                                                                          SHA-256:9CA53E967D19D7BDEAC671B1878844148130487AC9AEC78F76F6D3F612912AB5
                                                                                                                                                                                          SHA-512:3C7BA15DCE73198AF47574171045CAEB03984C7F107B6755092AE159E0682729E8536BD677557AF342359A90FE4DC899B801D4AEA9AB681C71F73151D8A9D230
                                                                                                                                                                                          Malicious:false
                                                                                                                                                                                          Preview:MDMP..a..... ......... f............$...............8.......<...........t....9..........`.......8...........T............$..............$...........................................................................................eJ..............GenuineIntel............T....... ..... f.............................0..2...............W... .E.u.r.o.p.e. .S.t.a.n.d.a.r.d. .T.i.m.e.......................................W... .E.u.r.o.p.e. .S.u.m.m.e.r. .T.i.m.e...........................................1.9.0.4.1...1...a.m.d.6.4.f.r.e...v.b._.r.e.l.e.a.s.e...1.9.1.2.0.6.-.1.4.0.6.......................................................................................................................................................................................................................................................................................................................................................................................................................................

                                                                                                                                                                                          C:\ProgramData\Microsoft\Windows\WER\Temp\WER71BE.tmp.WERInternalMetadata.xml

                                                                                                                                                                                          Download File
                                                                                                                                                                                          Process:C:\Windows\SysWOW64\WerFault.exe
                                                                                                                                                                                          File Type:XML 1.0 document, Unicode text, UTF-16, little-endian text, with CRLF line terminators
                                                                                                                                                                                          Category:dropped
                                                                                                                                                                                          Size (bytes):6344
                                                                                                                                                                                          Entropy (8bit):3.729739501472264
                                                                                                                                                                                          Encrypted:false
                                                                                                                                                                                          SSDEEP:192:R6l7wVeJRuj6m5XYiXXCpB589bZfsfh2vTm:R6lXJk6AYY7ZEf9
                                                                                                                                                                                          MD5:E1332BF5B2FD823A2157432D90EFACEE
                                                                                                                                                                                          SHA1:08B57408A1BA2E1A1B4ABAF6B397EFB6A1616BC0
                                                                                                                                                                                          SHA-256:557EB9C6C280720E5E0753EC0A4BAAB3B8A525E11A21FA8EE2134F09EA280EE0
                                                                                                                                                                                          SHA-512:45F2FA362142AF1C5D38FF840C859E16B84713C3AF9756AABCA5F18007768F8AA44DEFDA090DCEB08404E3C32CFC93DCB8F175EB2026D031344E90BEF102E4CF
                                                                                                                                                                                          Malicious:false
                                                                                                                                                                                          Preview:..<.?.x.m.l. .v.e.r.s.i.o.n.=.".1...0.". .e.n.c.o.d.i.n.g.=.".U.T.F.-.1.6.".?.>.....<.W.E.R.R.e.p.o.r.t.M.e.t.a.d.a.t.a.>.......<.O.S.V.e.r.s.i.o.n.I.n.f.o.r.m.a.t.i.o.n.>.........<.W.i.n.d.o.w.s.N.T.V.e.r.s.i.o.n.>.1.0...0.<./.W.i.n.d.o.w.s.N.T.V.e.r.s.i.o.n.>.........<.B.u.i.l.d.>.1.9.0.4.5.<./.B.u.i.l.d.>.........<.P.r.o.d.u.c.t.>.(.0.x.3.0.).:. .W.i.n.d.o.w.s. .1.0. .P.r.o.<./.P.r.o.d.u.c.t.>.........<.E.d.i.t.i.o.n.>.P.r.o.f.e.s.s.i.o.n.a.l.<./.E.d.i.t.i.o.n.>.........<.B.u.i.l.d.S.t.r.i.n.g.>.1.9.0.4.1...2.0.0.6...a.m.d.6.4.f.r.e...v.b._.r.e.l.e.a.s.e...1.9.1.2.0.6.-.1.4.0.6.<./.B.u.i.l.d.S.t.r.i.n.g.>.........<.R.e.v.i.s.i.o.n.>.2.0.0.6.<./.R.e.v.i.s.i.o.n.>.........<.F.l.a.v.o.r.>.M.u.l.t.i.p.r.o.c.e.s.s.o.r. .F.r.e.e.<./.F.l.a.v.o.r.>.........<.A.r.c.h.i.t.e.c.t.u.r.e.>.X.6.4.<./.A.r.c.h.i.t.e.c.t.u.r.e.>.........<.L.C.I.D.>.2.0.5.7.<./.L.C.I.D.>.......<./.O.S.V.e.r.s.i.o.n.I.n.f.o.r.m.a.t.i.o.n.>.......<.P.r.o.c.e.s.s.I.n.f.o.r.m.a.t.i.o.n.>.........<.P.i.d.>.6.9.9.6.<./.P.i.

                                                                                                                                                                                          C:\ProgramData\Microsoft\Windows\WER\Temp\WER71FE.tmp.xml

                                                                                                                                                                                          Download File
                                                                                                                                                                                          Process:C:\Windows\SysWOW64\WerFault.exe
                                                                                                                                                                                          File Type:XML 1.0 document, ASCII text, with CRLF line terminators
                                                                                                                                                                                          Category:dropped
                                                                                                                                                                                          Size (bytes):4611
                                                                                                                                                                                          Entropy (8bit):4.494166477849673
                                                                                                                                                                                          Encrypted:false
                                                                                                                                                                                          SSDEEP:48:cvIwWl8zshJg77aI9YDWpW8VYwPYm8M4JS4FbS+q8mWpIq3CLd:uIjfzI7ey7VEJYQv3CLd
                                                                                                                                                                                          MD5:7E47FA8C4A7F61CF0A88AF2A42601A51
                                                                                                                                                                                          SHA1:735C705DA4128F1D0F1EBC1B0D7F63954CCE4D82
                                                                                                                                                                                          SHA-256:A7ECB16FDFADC16799F364C2046EBF58CE3FA4A35C731795ABBD9461792EE5E5
                                                                                                                                                                                          SHA-512:916AE4B0D38BCF385B46538BDFC63EEA5EB8891925817F25ED9BE0755270D898F33843E4A8A1A170389139F2FF016D96B1C27DC0DAFF21F9FE2CCF51DCDF68C3
                                                                                                                                                                                          Malicious:false
                                                                                                                                                                                          Preview:<?xml version="1.0" encoding="UTF-8" standalone="yes"?>..<req ver="2">.. <tlm>.. <src>.. <desc>.. <mach>.. <os>.. <arg nm="vermaj" val="10" />.. <arg nm="vermin" val="0" />.. <arg nm="verbld" val="19045" />.. <arg nm="vercsdbld" val="2006" />.. <arg nm="verqfe" val="2006" />.. <arg nm="csdbld" val="2006" />.. <arg nm="versp" val="0" />.. <arg nm="arch" val="9" />.. <arg nm="lcid" val="2057" />.. <arg nm="geoid" val="223" />.. <arg nm="sku" val="48" />.. <arg nm="domain" val="0" />.. <arg nm="prodsuite" val="256" />.. <arg nm="ntprodtype" val="1" />.. <arg nm="platid" val="2" />.. <arg nm="tmsi" val="285044" />.. <arg nm="osinsty" val="1" />.. <arg nm="iever" val="11.789.19041.0-11.0.1000" />.. <arg nm="portos" val="0" />.. <arg nm="ram" val="409

                                                                                                                                                                                          C:\ProgramData\Microsoft\Windows\WER\Temp\WER722C.tmp.WERInternalMetadata.xml

                                                                                                                                                                                          Download File
                                                                                                                                                                                          Process:C:\Windows\SysWOW64\WerFault.exe
                                                                                                                                                                                          File Type:XML 1.0 document, Unicode text, UTF-16, little-endian text, with CRLF line terminators
                                                                                                                                                                                          Category:dropped
                                                                                                                                                                                          Size (bytes):6344
                                                                                                                                                                                          Entropy (8bit):3.7297418345215165
                                                                                                                                                                                          Encrypted:false
                                                                                                                                                                                          SSDEEP:192:R6l7wVeJpum66tYiXXCpB689bZ+sfSrTm:R6lXJJ6IYYOZ9fSO
                                                                                                                                                                                          MD5:70D63ABFFC3EB6D73DF55C152C3E0B8B
                                                                                                                                                                                          SHA1:D2930545CB069CC0D55EF78234C3251C54CF6363
                                                                                                                                                                                          SHA-256:0A5B2B3D8971E7E7287D59C627BC47C483C8752844E94EBA1B002EEC50DE5158
                                                                                                                                                                                          SHA-512:27C204B8337A29F61F1682695078E80F669E64FFDF3373E5190C9D722AC9202EFF0D0633B09FE7F362D8D1EA9B7853734947369891C70F3815CB46FFDC60C51F
                                                                                                                                                                                          Malicious:false
                                                                                                                                                                                          Preview:..<.?.x.m.l. .v.e.r.s.i.o.n.=.".1...0.". .e.n.c.o.d.i.n.g.=.".U.T.F.-.1.6.".?.>.....<.W.E.R.R.e.p.o.r.t.M.e.t.a.d.a.t.a.>.......<.O.S.V.e.r.s.i.o.n.I.n.f.o.r.m.a.t.i.o.n.>.........<.W.i.n.d.o.w.s.N.T.V.e.r.s.i.o.n.>.1.0...0.<./.W.i.n.d.o.w.s.N.T.V.e.r.s.i.o.n.>.........<.B.u.i.l.d.>.1.9.0.4.5.<./.B.u.i.l.d.>.........<.P.r.o.d.u.c.t.>.(.0.x.3.0.).:. .W.i.n.d.o.w.s. .1.0. .P.r.o.<./.P.r.o.d.u.c.t.>.........<.E.d.i.t.i.o.n.>.P.r.o.f.e.s.s.i.o.n.a.l.<./.E.d.i.t.i.o.n.>.........<.B.u.i.l.d.S.t.r.i.n.g.>.1.9.0.4.1...2.0.0.6...a.m.d.6.4.f.r.e...v.b._.r.e.l.e.a.s.e...1.9.1.2.0.6.-.1.4.0.6.<./.B.u.i.l.d.S.t.r.i.n.g.>.........<.R.e.v.i.s.i.o.n.>.2.0.0.6.<./.R.e.v.i.s.i.o.n.>.........<.F.l.a.v.o.r.>.M.u.l.t.i.p.r.o.c.e.s.s.o.r. .F.r.e.e.<./.F.l.a.v.o.r.>.........<.A.r.c.h.i.t.e.c.t.u.r.e.>.X.6.4.<./.A.r.c.h.i.t.e.c.t.u.r.e.>.........<.L.C.I.D.>.2.0.5.7.<./.L.C.I.D.>.......<./.O.S.V.e.r.s.i.o.n.I.n.f.o.r.m.a.t.i.o.n.>.......<.P.r.o.c.e.s.s.I.n.f.o.r.m.a.t.i.o.n.>.........<.P.i.d.>.6.6.8.8.<./.P.i.

                                                                                                                                                                                          C:\ProgramData\Microsoft\Windows\WER\Temp\WER725C.tmp.xml

                                                                                                                                                                                          Download File
                                                                                                                                                                                          Process:C:\Windows\SysWOW64\WerFault.exe
                                                                                                                                                                                          File Type:XML 1.0 document, ASCII text, with CRLF line terminators
                                                                                                                                                                                          Category:dropped
                                                                                                                                                                                          Size (bytes):4611
                                                                                                                                                                                          Entropy (8bit):4.4928726725102255
                                                                                                                                                                                          Encrypted:false
                                                                                                                                                                                          SSDEEP:48:cvIwWl8zshJg77aI9YDWpW8VY6Ym8M4JS4FBaR+q8mbUopIq3Cydd:uIjfzI7ey7ViJ3aRzv3Cydd
                                                                                                                                                                                          MD5:72CFADCE5D565651D192DE47C9DAD5DD
                                                                                                                                                                                          SHA1:74B147B1AAFFD99EDFECD4AE89E76ACE950C0EDC
                                                                                                                                                                                          SHA-256:42816361979AB29787A2A2FDF924D1DC9372572F93B76E099B261E4D6E7B5817
                                                                                                                                                                                          SHA-512:D94313B60AD0329E4BA1CC3EAA96E92618C6DB5BCD1435924E7D9843B464E7D3F9FF3D2008EFBB66F64CC58C05BC092E54FC5E9F7870576A308FB722A74E1022
                                                                                                                                                                                          Malicious:false
                                                                                                                                                                                          Preview:<?xml version="1.0" encoding="UTF-8" standalone="yes"?>..<req ver="2">.. <tlm>.. <src>.. <desc>.. <mach>.. <os>.. <arg nm="vermaj" val="10" />.. <arg nm="vermin" val="0" />.. <arg nm="verbld" val="19045" />.. <arg nm="vercsdbld" val="2006" />.. <arg nm="verqfe" val="2006" />.. <arg nm="csdbld" val="2006" />.. <arg nm="versp" val="0" />.. <arg nm="arch" val="9" />.. <arg nm="lcid" val="2057" />.. <arg nm="geoid" val="223" />.. <arg nm="sku" val="48" />.. <arg nm="domain" val="0" />.. <arg nm="prodsuite" val="256" />.. <arg nm="ntprodtype" val="1" />.. <arg nm="platid" val="2" />.. <arg nm="tmsi" val="285044" />.. <arg nm="osinsty" val="1" />.. <arg nm="iever" val="11.789.19041.0-11.0.1000" />.. <arg nm="portos" val="0" />.. <arg nm="ram" val="409

                                                                                                                                                                                          C:\ProgramData\Microsoft\Windows\WER\Temp\WER7651.tmp.dmp

                                                                                                                                                                                          Download File
                                                                                                                                                                                          Process:C:\Windows\SysWOW64\WerFault.exe
                                                                                                                                                                                          File Type:Mini DuMP crash report, 15 streams, Thu Apr 18 07:41:24 2024, 0x1205a4 type
                                                                                                                                                                                          Category:dropped
                                                                                                                                                                                          Size (bytes):103548
                                                                                                                                                                                          Entropy (8bit):2.2126704676703515
                                                                                                                                                                                          Encrypted:false
                                                                                                                                                                                          SSDEEP:384:GUvZM7ZTvCsy8Ryiu+Efv1qz4FTsRTjwXS0eLtzvAPOZq2pKsUrSrZukmb+:Gcq7ZTvCs+iu+EfgcUYSvvRlP
                                                                                                                                                                                          MD5:9BF02C953065B76D44734A3A368ED519
                                                                                                                                                                                          SHA1:6F30092F852F5A89197D4B790F34F639C69D2E61
                                                                                                                                                                                          SHA-256:F4DD7277A4FE24E028BFAF33F48B6D5593EB2E675D6BEDB29E6592E43D73CED4
                                                                                                                                                                                          SHA-512:E980A512A6AF3B294B1B91169234B3C9B93F37806D490AFB3F76D5EDE064CBB065B8A38865F1BF0A172D217FD5E66541094DAF92C2A4E8B85E8975725D55D0A1
                                                                                                                                                                                          Malicious:false
                                                                                                                                                                                          Preview:MDMP..a..... ......... f........................T...........<...."......t....G..........`.......8...........T............<..lX..........X"..........D$..............................................................................eJ.......$......GenuineIntel............T.......t..... f.............................0..2...............W... .E.u.r.o.p.e. .S.t.a.n.d.a.r.d. .T.i.m.e.......................................W... .E.u.r.o.p.e. .S.u.m.m.e.r. .T.i.m.e...........................................1.9.0.4.1...1...a.m.d.6.4.f.r.e...v.b._.r.e.l.e.a.s.e...1.9.1.2.0.6.-.1.4.0.6.......................................................................................................................................................................................................................................................................................................................................................................................................................................

                                                                                                                                                                                          C:\ProgramData\Microsoft\Windows\WER\Temp\WER76CE.tmp.dmp

                                                                                                                                                                                          Download File
                                                                                                                                                                                          Process:C:\Windows\SysWOW64\WerFault.exe
                                                                                                                                                                                          File Type:Mini DuMP crash report, 15 streams, Thu Apr 18 07:41:24 2024, 0x1205a4 type
                                                                                                                                                                                          Category:dropped
                                                                                                                                                                                          Size (bytes):77182
                                                                                                                                                                                          Entropy (8bit):2.0962915181565953
                                                                                                                                                                                          Encrypted:false
                                                                                                                                                                                          SSDEEP:384:oXYe1kMNTvd7ri0sWtg0YjaWKBGOWCCj5iPR:oIOkMNTvd/XBYzJOz5
                                                                                                                                                                                          MD5:4E87773C8E5C98BBB810BAD4D0840CCF
                                                                                                                                                                                          SHA1:8B2AAB67B87ECDD95D646DBCB99215AF8CC48721
                                                                                                                                                                                          SHA-256:2C946A2ABBA107D3DFD810863D92CBF72AC777239A7A478498F1161E3074B20B
                                                                                                                                                                                          SHA-512:1CFD30640D7E0F77603E6F190570CA244DB1B9986C5BF281745C2AC861FD433E91288B319B997612EC9F8B39F2F1CAB2DF158CBBE9128618E42293B06053D126
                                                                                                                                                                                          Malicious:false
                                                                                                                                                                                          Preview:MDMP..a..... ......... f............T...........D...h.......<................;..........`.......8...........T............#..........................................................................................................eJ......l.......GenuineIntel............T.......T..... f.............................0..2...............W... .E.u.r.o.p.e. .S.t.a.n.d.a.r.d. .T.i.m.e.......................................W... .E.u.r.o.p.e. .S.u.m.m.e.r. .T.i.m.e...........................................1.9.0.4.1...1...a.m.d.6.4.f.r.e...v.b._.r.e.l.e.a.s.e...1.9.1.2.0.6.-.1.4.0.6.......................................................................................................................................................................................................................................................................................................................................................................................................................................

                                                                                                                                                                                          C:\ProgramData\Microsoft\Windows\WER\Temp\WER7885.tmp.WERInternalMetadata.xml

                                                                                                                                                                                          Download File
                                                                                                                                                                                          Process:C:\Windows\SysWOW64\WerFault.exe
                                                                                                                                                                                          File Type:XML 1.0 document, Unicode text, UTF-16, little-endian text, with CRLF line terminators
                                                                                                                                                                                          Category:dropped
                                                                                                                                                                                          Size (bytes):6342
                                                                                                                                                                                          Entropy (8bit):3.72666413430986
                                                                                                                                                                                          Encrypted:false
                                                                                                                                                                                          SSDEEP:192:R6l7wVeJRuHd6+SaeYiXXCpBZ89bvfsf7hFm:R6lXJq6XYYTvEfm
                                                                                                                                                                                          MD5:79C74BAFB5D1B421B5773520D4E5BE94
                                                                                                                                                                                          SHA1:DA3D079C9BAAD81B25A406CD17AE6F6DA8C42661
                                                                                                                                                                                          SHA-256:2DF0B36C57017EF3C8DC1C8C88A0BF576D5112F1CF36F26096E8A07D29F0BAA7
                                                                                                                                                                                          SHA-512:62D3DF98AAA9AECB918B1D2382D0F515B214E343F0AC93028E102636F91C9C65DB87B5E9CC2A4372A78ECDD57C809952EEB10DC9C9F1FA6D86AFDA22BBE45DA2
                                                                                                                                                                                          Malicious:false
                                                                                                                                                                                          Preview:..<.?.x.m.l. .v.e.r.s.i.o.n.=.".1...0.". .e.n.c.o.d.i.n.g.=.".U.T.F.-.1.6.".?.>.....<.W.E.R.R.e.p.o.r.t.M.e.t.a.d.a.t.a.>.......<.O.S.V.e.r.s.i.o.n.I.n.f.o.r.m.a.t.i.o.n.>.........<.W.i.n.d.o.w.s.N.T.V.e.r.s.i.o.n.>.1.0...0.<./.W.i.n.d.o.w.s.N.T.V.e.r.s.i.o.n.>.........<.B.u.i.l.d.>.1.9.0.4.5.<./.B.u.i.l.d.>.........<.P.r.o.d.u.c.t.>.(.0.x.3.0.).:. .W.i.n.d.o.w.s. .1.0. .P.r.o.<./.P.r.o.d.u.c.t.>.........<.E.d.i.t.i.o.n.>.P.r.o.f.e.s.s.i.o.n.a.l.<./.E.d.i.t.i.o.n.>.........<.B.u.i.l.d.S.t.r.i.n.g.>.1.9.0.4.1...2.0.0.6...a.m.d.6.4.f.r.e...v.b._.r.e.l.e.a.s.e...1.9.1.2.0.6.-.1.4.0.6.<./.B.u.i.l.d.S.t.r.i.n.g.>.........<.R.e.v.i.s.i.o.n.>.2.0.0.6.<./.R.e.v.i.s.i.o.n.>.........<.F.l.a.v.o.r.>.M.u.l.t.i.p.r.o.c.e.s.s.o.r. .F.r.e.e.<./.F.l.a.v.o.r.>.........<.A.r.c.h.i.t.e.c.t.u.r.e.>.X.6.4.<./.A.r.c.h.i.t.e.c.t.u.r.e.>.........<.L.C.I.D.>.2.0.5.7.<./.L.C.I.D.>.......<./.O.S.V.e.r.s.i.o.n.I.n.f.o.r.m.a.t.i.o.n.>.......<.P.r.o.c.e.s.s.I.n.f.o.r.m.a.t.i.o.n.>.........<.P.i.d.>.6.9.9.6.<./.P.i.

                                                                                                                                                                                          C:\ProgramData\Microsoft\Windows\WER\Temp\WER78B3.tmp.dmp

                                                                                                                                                                                          Download File
                                                                                                                                                                                          Process:C:\Windows\SysWOW64\WerFault.exe
                                                                                                                                                                                          File Type:Mini DuMP crash report, 15 streams, Thu Apr 18 07:41:25 2024, 0x1205a4 type
                                                                                                                                                                                          Category:dropped
                                                                                                                                                                                          Size (bytes):77618
                                                                                                                                                                                          Entropy (8bit):2.095853811567573
                                                                                                                                                                                          Encrypted:false
                                                                                                                                                                                          SSDEEP:384:tzcwuqYdUZTvyYw2Ef4NbnjyyKjv0sBzTe5llJINA7:tYwRkUZTvhTfbnLkv0CG97
                                                                                                                                                                                          MD5:C11F3EEB38164B956CEAC3EF7356D05E
                                                                                                                                                                                          SHA1:DBE1AE2A94541A65D7EC48868A44D23816EB8EBA
                                                                                                                                                                                          SHA-256:B6D293B28377279FE0EC0BED5264A995616F80A9DED86D3073AC3738CC12CA68
                                                                                                                                                                                          SHA-512:3B7ACB6256DFB4B7F9599AC555295653E3709D9DF0416C555D694DBCA407113CE3FAA03B7644C47A587CDA095A3BA32CA914EE1B385A01D4DC95EDB0C277E6FC
                                                                                                                                                                                          Malicious:false
                                                                                                                                                                                          Preview:MDMP..a..... ......... f............T...............h.......<................<..........`.......8...........T............$..j...........T...........@...............................................................................eJ..............GenuineIntel............T....... ..... f.............................0..2...............W... .E.u.r.o.p.e. .S.t.a.n.d.a.r.d. .T.i.m.e.......................................W... .E.u.r.o.p.e. .S.u.m.m.e.r. .T.i.m.e...........................................1.9.0.4.1...1...a.m.d.6.4.f.r.e...v.b._.r.e.l.e.a.s.e...1.9.1.2.0.6.-.1.4.0.6.......................................................................................................................................................................................................................................................................................................................................................................................................................................

                                                                                                                                                                                          C:\ProgramData\Microsoft\Windows\WER\Temp\WER78C4.tmp.xml

                                                                                                                                                                                          Download File
                                                                                                                                                                                          Process:C:\Windows\SysWOW64\WerFault.exe
                                                                                                                                                                                          File Type:XML 1.0 document, ASCII text, with CRLF line terminators
                                                                                                                                                                                          Category:dropped
                                                                                                                                                                                          Size (bytes):4611
                                                                                                                                                                                          Entropy (8bit):4.4950722374942265
                                                                                                                                                                                          Encrypted:false
                                                                                                                                                                                          SSDEEP:48:cvIwWl8zshJg77aI9YDWpW8VY3Ym8M4JS4FzQ+q8mWpIq3CLd:uIjfzI7ey7V/J9QQv3CLd
                                                                                                                                                                                          MD5:25BF02646978145CB1125D7D43C4969F
                                                                                                                                                                                          SHA1:09E56713FAF24CD757B345E49F6B8244191FF414
                                                                                                                                                                                          SHA-256:89AE71D6E9D58C97880380BE8EAC6D993D887756A01DA1029AD57BAA2451BD3E
                                                                                                                                                                                          SHA-512:AAD047347A3C5D3FF183BA5E31EE385441CE43D320F62040EF9DD6A82558883D21B5A407654435F0A521334F541ACBEF59A41B8E3FF0768BCD627723D55D1E90
                                                                                                                                                                                          Malicious:false
                                                                                                                                                                                          Preview:<?xml version="1.0" encoding="UTF-8" standalone="yes"?>..<req ver="2">.. <tlm>.. <src>.. <desc>.. <mach>.. <os>.. <arg nm="vermaj" val="10" />.. <arg nm="vermin" val="0" />.. <arg nm="verbld" val="19045" />.. <arg nm="vercsdbld" val="2006" />.. <arg nm="verqfe" val="2006" />.. <arg nm="csdbld" val="2006" />.. <arg nm="versp" val="0" />.. <arg nm="arch" val="9" />.. <arg nm="lcid" val="2057" />.. <arg nm="geoid" val="223" />.. <arg nm="sku" val="48" />.. <arg nm="domain" val="0" />.. <arg nm="prodsuite" val="256" />.. <arg nm="ntprodtype" val="1" />.. <arg nm="platid" val="2" />.. <arg nm="tmsi" val="285044" />.. <arg nm="osinsty" val="1" />.. <arg nm="iever" val="11.789.19041.0-11.0.1000" />.. <arg nm="portos" val="0" />.. <arg nm="ram" val="409

                                                                                                                                                                                          C:\ProgramData\Microsoft\Windows\WER\Temp\WER78E3.tmp.WERInternalMetadata.xml

                                                                                                                                                                                          Download File
                                                                                                                                                                                          Process:C:\Windows\SysWOW64\WerFault.exe
                                                                                                                                                                                          File Type:XML 1.0 document, Unicode text, UTF-16, little-endian text, with CRLF line terminators
                                                                                                                                                                                          Category:dropped
                                                                                                                                                                                          Size (bytes):8352
                                                                                                                                                                                          Entropy (8bit):3.700258046469887
                                                                                                                                                                                          Encrypted:false
                                                                                                                                                                                          SSDEEP:192:R6l7wVeJWn6h496Y9zSU9dogmf5XCpBO89bvcsf0esFm:R6lXJO6E6YZSU9dogmf5ivvftD
                                                                                                                                                                                          MD5:8F2C96919BA0F695821D4EA5572BFEB4
                                                                                                                                                                                          SHA1:E0A2040A197937A4B57C5FF154D4F3ACA53557A2
                                                                                                                                                                                          SHA-256:3F6D7577E64A5FA91CB74061C62E640CE6DB2E9A8EC68D0B9E121EA9A8F08B79
                                                                                                                                                                                          SHA-512:3C6B66D14C536AD0DA5C3F230A0FEBAD785F40F261BAD134EA135730FC1F6FBFCECD4D7BC8D632B9E2DC676F4B56FBAC279D1CD459B9028D5EE54BCCC6555DC9
                                                                                                                                                                                          Malicious:false
                                                                                                                                                                                          Preview:..<.?.x.m.l. .v.e.r.s.i.o.n.=.".1...0.". .e.n.c.o.d.i.n.g.=.".U.T.F.-.1.6.".?.>.....<.W.E.R.R.e.p.o.r.t.M.e.t.a.d.a.t.a.>.......<.O.S.V.e.r.s.i.o.n.I.n.f.o.r.m.a.t.i.o.n.>.........<.W.i.n.d.o.w.s.N.T.V.e.r.s.i.o.n.>.1.0...0.<./.W.i.n.d.o.w.s.N.T.V.e.r.s.i.o.n.>.........<.B.u.i.l.d.>.1.9.0.4.5.<./.B.u.i.l.d.>.........<.P.r.o.d.u.c.t.>.(.0.x.3.0.).:. .W.i.n.d.o.w.s. .1.0. .P.r.o.<./.P.r.o.d.u.c.t.>.........<.E.d.i.t.i.o.n.>.P.r.o.f.e.s.s.i.o.n.a.l.<./.E.d.i.t.i.o.n.>.........<.B.u.i.l.d.S.t.r.i.n.g.>.1.9.0.4.1...2.0.0.6...a.m.d.6.4.f.r.e...v.b._.r.e.l.e.a.s.e...1.9.1.2.0.6.-.1.4.0.6.<./.B.u.i.l.d.S.t.r.i.n.g.>.........<.R.e.v.i.s.i.o.n.>.2.0.0.6.<./.R.e.v.i.s.i.o.n.>.........<.F.l.a.v.o.r.>.M.u.l.t.i.p.r.o.c.e.s.s.o.r. .F.r.e.e.<./.F.l.a.v.o.r.>.........<.A.r.c.h.i.t.e.c.t.u.r.e.>.X.6.4.<./.A.r.c.h.i.t.e.c.t.u.r.e.>.........<.L.C.I.D.>.2.0.5.7.<./.L.C.I.D.>.......<./.O.S.V.e.r.s.i.o.n.I.n.f.o.r.m.a.t.i.o.n.>.......<.P.r.o.c.e.s.s.I.n.f.o.r.m.a.t.i.o.n.>.........<.P.i.d.>.7.0.2.8.<./.P.i.

                                                                                                                                                                                          C:\ProgramData\Microsoft\Windows\WER\Temp\WER798F.tmp.xml

                                                                                                                                                                                          Download File
                                                                                                                                                                                          Process:C:\Windows\SysWOW64\WerFault.exe
                                                                                                                                                                                          File Type:XML 1.0 document, ASCII text, with CRLF line terminators
                                                                                                                                                                                          Category:dropped
                                                                                                                                                                                          Size (bytes):4596
                                                                                                                                                                                          Entropy (8bit):4.4721635416120975
                                                                                                                                                                                          Encrypted:false
                                                                                                                                                                                          SSDEEP:48:cvIwWl8zshJg77aI9YDWpW8VYv+Ym8M4Jq4FGR+q8N7WTqcHjd:uIjfzI7ey7VCJC6TcHjd
                                                                                                                                                                                          MD5:9DC36B55D542C08030EF0B9F27570317
                                                                                                                                                                                          SHA1:1E497A32D019F295DCC325C1109913BF664DADC0
                                                                                                                                                                                          SHA-256:7C1A3B8B4E8159BABA43CA79069C630467A344C9B9C204F248B38D6232701322
                                                                                                                                                                                          SHA-512:1B0788F796F3BD5A4F5EB2106C889329DB3DC0843C4C49CD371E18583FE907CE8B6B20666F66047EBFBA6E6C9FCFF6B1559391A0EDF81355D5239F131A045DA6
                                                                                                                                                                                          Malicious:false
                                                                                                                                                                                          Preview:<?xml version="1.0" encoding="UTF-8" standalone="yes"?>..<req ver="2">.. <tlm>.. <src>.. <desc>.. <mach>.. <os>.. <arg nm="vermaj" val="10" />.. <arg nm="vermin" val="0" />.. <arg nm="verbld" val="19045" />.. <arg nm="vercsdbld" val="2006" />.. <arg nm="verqfe" val="2006" />.. <arg nm="csdbld" val="2006" />.. <arg nm="versp" val="0" />.. <arg nm="arch" val="9" />.. <arg nm="lcid" val="2057" />.. <arg nm="geoid" val="223" />.. <arg nm="sku" val="48" />.. <arg nm="domain" val="0" />.. <arg nm="prodsuite" val="256" />.. <arg nm="ntprodtype" val="1" />.. <arg nm="platid" val="2" />.. <arg nm="tmsi" val="285044" />.. <arg nm="osinsty" val="1" />.. <arg nm="iever" val="11.789.19041.0-11.0.1000" />.. <arg nm="portos" val="0" />.. <arg nm="ram" val="409

                                                                                                                                                                                          C:\ProgramData\Microsoft\Windows\WER\Temp\WER7B54.tmp.WERInternalMetadata.xml

                                                                                                                                                                                          Download File
                                                                                                                                                                                          Process:C:\Windows\SysWOW64\WerFault.exe
                                                                                                                                                                                          File Type:XML 1.0 document, Unicode text, UTF-16, little-endian text, with CRLF line terminators
                                                                                                                                                                                          Category:dropped
                                                                                                                                                                                          Size (bytes):6342
                                                                                                                                                                                          Entropy (8bit):3.7289384143804742
                                                                                                                                                                                          Encrypted:false
                                                                                                                                                                                          SSDEEP:192:R6l7wVeJpuu6PnE9YiXXCpBx89bm+sfwCm:R6lXJB6PneYY7m9fU
                                                                                                                                                                                          MD5:CD78E987FF07CC8A28F1723C9F5A438F
                                                                                                                                                                                          SHA1:D8DE1B7D1357310094039438CCFB4F744521FA81
                                                                                                                                                                                          SHA-256:71ED9885E45DCE057C0A8DD390492EE1DDB4A6AB12A9848F1D539BAD518AF1E5
                                                                                                                                                                                          SHA-512:557B3B56895B859D9801167287D20F073DF345E320F9F03EDA491C77C516DAD9E3664FBEA4D70ADD014A68F026786FDD1DE79C45CCCEE6BB9FA61E7430EA3141
                                                                                                                                                                                          Malicious:false
                                                                                                                                                                                          Preview:..<.?.x.m.l. .v.e.r.s.i.o.n.=.".1...0.". .e.n.c.o.d.i.n.g.=.".U.T.F.-.1.6.".?.>.....<.W.E.R.R.e.p.o.r.t.M.e.t.a.d.a.t.a.>.......<.O.S.V.e.r.s.i.o.n.I.n.f.o.r.m.a.t.i.o.n.>.........<.W.i.n.d.o.w.s.N.T.V.e.r.s.i.o.n.>.1.0...0.<./.W.i.n.d.o.w.s.N.T.V.e.r.s.i.o.n.>.........<.B.u.i.l.d.>.1.9.0.4.5.<./.B.u.i.l.d.>.........<.P.r.o.d.u.c.t.>.(.0.x.3.0.).:. .W.i.n.d.o.w.s. .1.0. .P.r.o.<./.P.r.o.d.u.c.t.>.........<.E.d.i.t.i.o.n.>.P.r.o.f.e.s.s.i.o.n.a.l.<./.E.d.i.t.i.o.n.>.........<.B.u.i.l.d.S.t.r.i.n.g.>.1.9.0.4.1...2.0.0.6...a.m.d.6.4.f.r.e...v.b._.r.e.l.e.a.s.e...1.9.1.2.0.6.-.1.4.0.6.<./.B.u.i.l.d.S.t.r.i.n.g.>.........<.R.e.v.i.s.i.o.n.>.2.0.0.6.<./.R.e.v.i.s.i.o.n.>.........<.F.l.a.v.o.r.>.M.u.l.t.i.p.r.o.c.e.s.s.o.r. .F.r.e.e.<./.F.l.a.v.o.r.>.........<.A.r.c.h.i.t.e.c.t.u.r.e.>.X.6.4.<./.A.r.c.h.i.t.e.c.t.u.r.e.>.........<.L.C.I.D.>.2.0.5.7.<./.L.C.I.D.>.......<./.O.S.V.e.r.s.i.o.n.I.n.f.o.r.m.a.t.i.o.n.>.......<.P.r.o.c.e.s.s.I.n.f.o.r.m.a.t.i.o.n.>.........<.P.i.d.>.6.6.8.8.<./.P.i.

                                                                                                                                                                                          C:\ProgramData\Microsoft\Windows\WER\Temp\WER7B83.tmp.xml

                                                                                                                                                                                          Download File
                                                                                                                                                                                          Process:C:\Windows\SysWOW64\WerFault.exe
                                                                                                                                                                                          File Type:XML 1.0 document, ASCII text, with CRLF line terminators
                                                                                                                                                                                          Category:dropped
                                                                                                                                                                                          Size (bytes):4611
                                                                                                                                                                                          Entropy (8bit):4.493827193952335
                                                                                                                                                                                          Encrypted:false
                                                                                                                                                                                          SSDEEP:48:cvIwWl8zshJg77aI9YDWpW8VYS5Ym8M4JS4FBJr+q8mbUopIq3Cydd:uIjfzI7ey7V6JbJrzv3Cydd
                                                                                                                                                                                          MD5:1353F6494FB923A20E07D8B9D657AAD7
                                                                                                                                                                                          SHA1:6A53D72FBAD2A6EB3E49BDCD4ABA6CE09CE534EB
                                                                                                                                                                                          SHA-256:371D19EF60C323811F194F1F3CA89B93A49DB57F6BAD0F6FE005D1AABEBA454C
                                                                                                                                                                                          SHA-512:43EE7F31F79D0341B8AAF184F20583831BF516B11B137B1AC212FC051777C14BE80963EB80A655C6245C9A736FAFB10850E98A7355A519599697328FC947A728
                                                                                                                                                                                          Malicious:false
                                                                                                                                                                                          Preview:<?xml version="1.0" encoding="UTF-8" standalone="yes"?>..<req ver="2">.. <tlm>.. <src>.. <desc>.. <mach>.. <os>.. <arg nm="vermaj" val="10" />.. <arg nm="vermin" val="0" />.. <arg nm="verbld" val="19045" />.. <arg nm="vercsdbld" val="2006" />.. <arg nm="verqfe" val="2006" />.. <arg nm="csdbld" val="2006" />.. <arg nm="versp" val="0" />.. <arg nm="arch" val="9" />.. <arg nm="lcid" val="2057" />.. <arg nm="geoid" val="223" />.. <arg nm="sku" val="48" />.. <arg nm="domain" val="0" />.. <arg nm="prodsuite" val="256" />.. <arg nm="ntprodtype" val="1" />.. <arg nm="platid" val="2" />.. <arg nm="tmsi" val="285044" />.. <arg nm="osinsty" val="1" />.. <arg nm="iever" val="11.789.19041.0-11.0.1000" />.. <arg nm="portos" val="0" />.. <arg nm="ram" val="409

                                                                                                                                                                                          C:\ProgramData\Microsoft\Windows\WER\Temp\WER7DD3.tmp.dmp

                                                                                                                                                                                          Download File
                                                                                                                                                                                          Process:C:\Windows\SysWOW64\WerFault.exe
                                                                                                                                                                                          File Type:Mini DuMP crash report, 15 streams, Thu Apr 18 07:41:26 2024, 0x1205a4 type
                                                                                                                                                                                          Category:dropped
                                                                                                                                                                                          Size (bytes):76758
                                                                                                                                                                                          Entropy (8bit):2.1081545991639263
                                                                                                                                                                                          Encrypted:false
                                                                                                                                                                                          SSDEEP:384:UYe1wJNTvCBObq9gYsh8o0YjaWKBGOWIaLLGyI:fOwJNTvMcc8oYzJOqvI
                                                                                                                                                                                          MD5:666D826A814C8A68A8C2B8D9F30A2CA9
                                                                                                                                                                                          SHA1:D59DA27681907A018798E8449FCEF063F3B33928
                                                                                                                                                                                          SHA-256:B5C2159959B96217F6E67D6071CBBB7A343D4A51478D76E3D81FD1BC5ACD0A40
                                                                                                                                                                                          SHA-512:0F10B3118361228612A2A29AED5B5520DF66C1A82220ECB99BCE030EDF7C51A238B392964D16E392A8F0D724EA7EF2724EE937643A9258D5992FC08993AFC1DF
                                                                                                                                                                                          Malicious:false
                                                                                                                                                                                          Preview:MDMP..a..... ......... f............T...........D...h.......<................;..........`.......8...........T............#..&.......................................................................................................eJ......l.......GenuineIntel............T.......T..... f.............................0..2...............W... .E.u.r.o.p.e. .S.t.a.n.d.a.r.d. .T.i.m.e.......................................W... .E.u.r.o.p.e. .S.u.m.m.e.r. .T.i.m.e...........................................1.9.0.4.1...1...a.m.d.6.4.f.r.e...v.b._.r.e.l.e.a.s.e...1.9.1.2.0.6.-.1.4.0.6.......................................................................................................................................................................................................................................................................................................................................................................................................................................

                                                                                                                                                                                          C:\ProgramData\Microsoft\Windows\WER\Temp\WER7E60.tmp.dmp

                                                                                                                                                                                          Download File
                                                                                                                                                                                          Process:C:\Windows\SysWOW64\WerFault.exe
                                                                                                                                                                                          File Type:Mini DuMP crash report, 15 streams, Thu Apr 18 07:41:26 2024, 0x1205a4 type
                                                                                                                                                                                          Category:dropped
                                                                                                                                                                                          Size (bytes):110620
                                                                                                                                                                                          Entropy (8bit):2.137379130142958
                                                                                                                                                                                          Encrypted:false
                                                                                                                                                                                          SSDEEP:768:6f3/WZTvJHBIP3ZJ7h/zf+ltjn+imKvY:6f3aROT1Ktj+imKvY
                                                                                                                                                                                          MD5:6ED15B634284F92D9C80FD84245E3FC9
                                                                                                                                                                                          SHA1:693CEDC458DE2494EE1BAD74CB9E6F1209235CA4
                                                                                                                                                                                          SHA-256:BB6A8C1AA9E786BAA517E8FD158F26D9E8523BC48B9B754AFBECEDF5B62E727D
                                                                                                                                                                                          SHA-512:5D41BA4A4C6DF410A4BFA7CB5E0CFC5786F2A25253A531EA858BE0FDF36A6FD4E5A5D440C287862DA93B56E4D9FF0D1ADEBFBDD145D7FB85B8E49CCFECAA7181
                                                                                                                                                                                          Malicious:false
                                                                                                                                                                                          Preview:MDMP..a..... ......... f....................................<...."......T...vK..........`.......8...........T...........PG...h..........."...........$..............................................................................eJ......x%......GenuineIntel............T.......t..... f.............................0..2...............W... .E.u.r.o.p.e. .S.t.a.n.d.a.r.d. .T.i.m.e.......................................W... .E.u.r.o.p.e. .S.u.m.m.e.r. .T.i.m.e...........................................1.9.0.4.1...1...a.m.d.6.4.f.r.e...v.b._.r.e.l.e.a.s.e...1.9.1.2.0.6.-.1.4.0.6.......................................................................................................................................................................................................................................................................................................................................................................................................................................

                                                                                                                                                                                          C:\ProgramData\Microsoft\Windows\WER\Temp\WER7FB9.tmp.WERInternalMetadata.xml

                                                                                                                                                                                          Download File
                                                                                                                                                                                          Process:C:\Windows\SysWOW64\WerFault.exe
                                                                                                                                                                                          File Type:XML 1.0 document, Unicode text, UTF-16, little-endian text, with CRLF line terminators
                                                                                                                                                                                          Category:dropped
                                                                                                                                                                                          Size (bytes):6342
                                                                                                                                                                                          Entropy (8bit):3.7265441943779827
                                                                                                                                                                                          Encrypted:false
                                                                                                                                                                                          SSDEEP:96:RSIU6o7wVetbRuAl6vYidtFXw8JtgaMOUJ89b9fsfkfm:R6l7wVeJRuo6vYiXXCpBJ89b9fsfkfm
                                                                                                                                                                                          MD5:69768BE0189CF9A28B933A387A9F6FAC
                                                                                                                                                                                          SHA1:92CD9A760629924393539E1912482A83CACECC2A
                                                                                                                                                                                          SHA-256:40F92C5553BDCE59CB8E49F343DC03EE230FC8967AA464B6E68C3538D9398214
                                                                                                                                                                                          SHA-512:0F471B98E111AB0CFA5498ED5A788157B75D088219A3161CC061B228773D48983E177AD0C61F424BE68615921A6F2C2FE6C102D67A628747CF0CF9A41189F5B9
                                                                                                                                                                                          Malicious:false
                                                                                                                                                                                          Preview:..<.?.x.m.l. .v.e.r.s.i.o.n.=.".1...0.". .e.n.c.o.d.i.n.g.=.".U.T.F.-.1.6.".?.>.....<.W.E.R.R.e.p.o.r.t.M.e.t.a.d.a.t.a.>.......<.O.S.V.e.r.s.i.o.n.I.n.f.o.r.m.a.t.i.o.n.>.........<.W.i.n.d.o.w.s.N.T.V.e.r.s.i.o.n.>.1.0...0.<./.W.i.n.d.o.w.s.N.T.V.e.r.s.i.o.n.>.........<.B.u.i.l.d.>.1.9.0.4.5.<./.B.u.i.l.d.>.........<.P.r.o.d.u.c.t.>.(.0.x.3.0.).:. .W.i.n.d.o.w.s. .1.0. .P.r.o.<./.P.r.o.d.u.c.t.>.........<.E.d.i.t.i.o.n.>.P.r.o.f.e.s.s.i.o.n.a.l.<./.E.d.i.t.i.o.n.>.........<.B.u.i.l.d.S.t.r.i.n.g.>.1.9.0.4.1...2.0.0.6...a.m.d.6.4.f.r.e...v.b._.r.e.l.e.a.s.e...1.9.1.2.0.6.-.1.4.0.6.<./.B.u.i.l.d.S.t.r.i.n.g.>.........<.R.e.v.i.s.i.o.n.>.2.0.0.6.<./.R.e.v.i.s.i.o.n.>.........<.F.l.a.v.o.r.>.M.u.l.t.i.p.r.o.c.e.s.s.o.r. .F.r.e.e.<./.F.l.a.v.o.r.>.........<.A.r.c.h.i.t.e.c.t.u.r.e.>.X.6.4.<./.A.r.c.h.i.t.e.c.t.u.r.e.>.........<.L.C.I.D.>.2.0.5.7.<./.L.C.I.D.>.......<./.O.S.V.e.r.s.i.o.n.I.n.f.o.r.m.a.t.i.o.n.>.......<.P.r.o.c.e.s.s.I.n.f.o.r.m.a.t.i.o.n.>.........<.P.i.d.>.6.9.9.6.<./.P.i.

                                                                                                                                                                                          C:\ProgramData\Microsoft\Windows\WER\Temp\WER8102.tmp.xml

                                                                                                                                                                                          Download File
                                                                                                                                                                                          Process:C:\Windows\SysWOW64\WerFault.exe
                                                                                                                                                                                          File Type:XML 1.0 document, ASCII text, with CRLF line terminators
                                                                                                                                                                                          Category:dropped
                                                                                                                                                                                          Size (bytes):4611
                                                                                                                                                                                          Entropy (8bit):4.496530803210506
                                                                                                                                                                                          Encrypted:false
                                                                                                                                                                                          SSDEEP:48:cvIwWl8zshJg77aI9YDWpW8VYwYm8M4JS4FtN+q8mWpIq3CLd:uIjfzI7ey7VQJVQv3CLd
                                                                                                                                                                                          MD5:04937929B61A69C9CBFB5A005A1BE150
                                                                                                                                                                                          SHA1:58BFF6810E57ED355EE9BDF27AD8F435E3FB0AB5
                                                                                                                                                                                          SHA-256:D42A138B3998A4D81CDD11497B84112A84803B8A6C493F4D4E62C02872FA1DF5
                                                                                                                                                                                          SHA-512:D093714ACC866466BC7C28E222C585B2F1B84EA701C7D5ECAFFD1B69A9E106CE38B61069B51423FBA375514596093F5B8D9FD78365CC7764362645C8BF290DF8
                                                                                                                                                                                          Malicious:false
                                                                                                                                                                                          Preview:<?xml version="1.0" encoding="UTF-8" standalone="yes"?>..<req ver="2">.. <tlm>.. <src>.. <desc>.. <mach>.. <os>.. <arg nm="vermaj" val="10" />.. <arg nm="vermin" val="0" />.. <arg nm="verbld" val="19045" />.. <arg nm="vercsdbld" val="2006" />.. <arg nm="verqfe" val="2006" />.. <arg nm="csdbld" val="2006" />.. <arg nm="versp" val="0" />.. <arg nm="arch" val="9" />.. <arg nm="lcid" val="2057" />.. <arg nm="geoid" val="223" />.. <arg nm="sku" val="48" />.. <arg nm="domain" val="0" />.. <arg nm="prodsuite" val="256" />.. <arg nm="ntprodtype" val="1" />.. <arg nm="platid" val="2" />.. <arg nm="tmsi" val="285044" />.. <arg nm="osinsty" val="1" />.. <arg nm="iever" val="11.789.19041.0-11.0.1000" />.. <arg nm="portos" val="0" />.. <arg nm="ram" val="409

                                                                                                                                                                                          C:\ProgramData\Microsoft\Windows\WER\Temp\WER8130.tmp.WERInternalMetadata.xml

                                                                                                                                                                                          Download File
                                                                                                                                                                                          Process:C:\Windows\SysWOW64\WerFault.exe
                                                                                                                                                                                          File Type:XML 1.0 document, Unicode text, UTF-16, little-endian text, with CRLF line terminators
                                                                                                                                                                                          Category:dropped
                                                                                                                                                                                          Size (bytes):8352
                                                                                                                                                                                          Entropy (8bit):3.7003357547800078
                                                                                                                                                                                          Encrypted:false
                                                                                                                                                                                          SSDEEP:192:R6l7wVeJW46QuT6Y9cSU9UZNrGgmf5XCpBl89b9csfQfm:R6lXJR6d6Y2SU9gQgmf5H9vfV
                                                                                                                                                                                          MD5:853313ACF7DC122F03424DDF749DD359
                                                                                                                                                                                          SHA1:F9E00DE6CAE2F632D4225FCD2D6EDBB540CE15D1
                                                                                                                                                                                          SHA-256:AD6EE5E03A6C22A9D867F313ACA6FE3081192E7A1B82D70C48D2AD51ACFD7FF8
                                                                                                                                                                                          SHA-512:4DCE8E3B758562A119C9C18154C360B2A3B4BF92794A763DEEB51432D4AE5B8B50FA0ADB8B4666A0BF4CF29D262AACE34B0C2C55144612C43B2FA1FAF331F5EE
                                                                                                                                                                                          Malicious:false
                                                                                                                                                                                          Preview:..<.?.x.m.l. .v.e.r.s.i.o.n.=.".1...0.". .e.n.c.o.d.i.n.g.=.".U.T.F.-.1.6.".?.>.....<.W.E.R.R.e.p.o.r.t.M.e.t.a.d.a.t.a.>.......<.O.S.V.e.r.s.i.o.n.I.n.f.o.r.m.a.t.i.o.n.>.........<.W.i.n.d.o.w.s.N.T.V.e.r.s.i.o.n.>.1.0...0.<./.W.i.n.d.o.w.s.N.T.V.e.r.s.i.o.n.>.........<.B.u.i.l.d.>.1.9.0.4.5.<./.B.u.i.l.d.>.........<.P.r.o.d.u.c.t.>.(.0.x.3.0.).:. .W.i.n.d.o.w.s. .1.0. .P.r.o.<./.P.r.o.d.u.c.t.>.........<.E.d.i.t.i.o.n.>.P.r.o.f.e.s.s.i.o.n.a.l.<./.E.d.i.t.i.o.n.>.........<.B.u.i.l.d.S.t.r.i.n.g.>.1.9.0.4.1...2.0.0.6...a.m.d.6.4.f.r.e...v.b._.r.e.l.e.a.s.e...1.9.1.2.0.6.-.1.4.0.6.<./.B.u.i.l.d.S.t.r.i.n.g.>.........<.R.e.v.i.s.i.o.n.>.2.0.0.6.<./.R.e.v.i.s.i.o.n.>.........<.F.l.a.v.o.r.>.M.u.l.t.i.p.r.o.c.e.s.s.o.r. .F.r.e.e.<./.F.l.a.v.o.r.>.........<.A.r.c.h.i.t.e.c.t.u.r.e.>.X.6.4.<./.A.r.c.h.i.t.e.c.t.u.r.e.>.........<.L.C.I.D.>.2.0.5.7.<./.L.C.I.D.>.......<./.O.S.V.e.r.s.i.o.n.I.n.f.o.r.m.a.t.i.o.n.>.......<.P.r.o.c.e.s.s.I.n.f.o.r.m.a.t.i.o.n.>.........<.P.i.d.>.7.0.2.8.<./.P.i.

                                                                                                                                                                                          C:\ProgramData\Microsoft\Windows\WER\Temp\WER815F.tmp.xml

                                                                                                                                                                                          Download File
                                                                                                                                                                                          Process:C:\Windows\SysWOW64\WerFault.exe
                                                                                                                                                                                          File Type:XML 1.0 document, ASCII text, with CRLF line terminators
                                                                                                                                                                                          Category:dropped
                                                                                                                                                                                          Size (bytes):4596
                                                                                                                                                                                          Entropy (8bit):4.47038347316607
                                                                                                                                                                                          Encrypted:false
                                                                                                                                                                                          SSDEEP:48:cvIwWl8zshJg77aI9YDWpW8VYq2Ym8M4Jq4FVsi+q8N7WTqcHjd:uIjfzI7ey7Vz/Jci6TcHjd
                                                                                                                                                                                          MD5:EED20ED340A3C21FE11F6907533A292C
                                                                                                                                                                                          SHA1:46339D16536B5F4C09F47766A9890A508EA74B13
                                                                                                                                                                                          SHA-256:D5C4D1B4C4A06EB3230C772E8168DACE5FF83110B30198A01F9E2E8A41643368
                                                                                                                                                                                          SHA-512:44E2B7122F38ECCE65EF4C9095BD64B5033288AC127825DADE964217C67B6A8D2652C31C0412B0DBA78A2DBFE1B073BF53C29B42B90A963B97AA6612A9A8A594
                                                                                                                                                                                          Malicious:false
                                                                                                                                                                                          Preview:<?xml version="1.0" encoding="UTF-8" standalone="yes"?>..<req ver="2">.. <tlm>.. <src>.. <desc>.. <mach>.. <os>.. <arg nm="vermaj" val="10" />.. <arg nm="vermin" val="0" />.. <arg nm="verbld" val="19045" />.. <arg nm="vercsdbld" val="2006" />.. <arg nm="verqfe" val="2006" />.. <arg nm="csdbld" val="2006" />.. <arg nm="versp" val="0" />.. <arg nm="arch" val="9" />.. <arg nm="lcid" val="2057" />.. <arg nm="geoid" val="223" />.. <arg nm="sku" val="48" />.. <arg nm="domain" val="0" />.. <arg nm="prodsuite" val="256" />.. <arg nm="ntprodtype" val="1" />.. <arg nm="platid" val="2" />.. <arg nm="tmsi" val="285044" />.. <arg nm="osinsty" val="1" />.. <arg nm="iever" val="11.789.19041.0-11.0.1000" />.. <arg nm="portos" val="0" />.. <arg nm="ram" val="409

                                                                                                                                                                                          C:\ProgramData\Microsoft\Windows\WER\Temp\WER8248.tmp.dmp

                                                                                                                                                                                          Download File
                                                                                                                                                                                          Process:C:\Windows\SysWOW64\WerFault.exe
                                                                                                                                                                                          File Type:Mini DuMP crash report, 15 streams, Thu Apr 18 07:41:27 2024, 0x1205a4 type
                                                                                                                                                                                          Category:dropped
                                                                                                                                                                                          Size (bytes):54686
                                                                                                                                                                                          Entropy (8bit):2.1959266237437145
                                                                                                                                                                                          Encrypted:false
                                                                                                                                                                                          SSDEEP:192:8gFXC7ghu6V9HOiQTvCp8gbCOCKeEsUVPf/+7je+feWS8q3PSTmfQFse3cOPnjRQ:JlhJPuZTvCp8AyEswP+7j/UPqcObi
                                                                                                                                                                                          MD5:5AD05F44AAD4B7665FD2265A820BE064
                                                                                                                                                                                          SHA1:65A76DB4C8E692F984E6D1CF4D42DE7D082FD7C4
                                                                                                                                                                                          SHA-256:3CE4B6E9ADC65CDB97D36187C3BAF273FD3E31C11398162D19B04BAD68AB6643
                                                                                                                                                                                          SHA-512:CD4DB04CDAF0F748E72BDB0798DFE54C35BB65FA935736CEFAF92FE5FA45798239FA87148D44D2816FC255C1EEDF570C3AFC4630C91FBABC5AD21CFFFB37D2F8
                                                                                                                                                                                          Malicious:false
                                                                                                                                                                                          Preview:MDMP..a..... ......... f........................(...........$................/..........`.......8...........T...........@ ..^...........$...........................................................................................eJ..............GenuineIntel............T.......,..... f............................. ..2...............W... .E.u.r.o.p.e. .S.t.a.n.d.a.r.d. .T.i.m.e.......................................W... .E.u.r.o.p.e. .S.u.m.m.e.r. .T.i.m.e...........................................1.9.0.4.1...1...a.m.d.6.4.f.r.e...v.b._.r.e.l.e.a.s.e...1.9.1.2.0.6.-.1.4.0.6.......................................................................................................................................................................................................................................................................................................................................................................................................................................

                                                                                                                                                                                          C:\ProgramData\Microsoft\Windows\WER\Temp\WER83FE.tmp.WERInternalMetadata.xml

                                                                                                                                                                                          Download File
                                                                                                                                                                                          Process:C:\Windows\SysWOW64\WerFault.exe
                                                                                                                                                                                          File Type:XML 1.0 document, Unicode text, UTF-16, little-endian text, with CRLF line terminators
                                                                                                                                                                                          Category:dropped
                                                                                                                                                                                          Size (bytes):8366
                                                                                                                                                                                          Entropy (8bit):3.7020238864749495
                                                                                                                                                                                          Encrypted:false
                                                                                                                                                                                          SSDEEP:192:R6l7wVeJAU6C6Y9OSU9UZNrGgmf6XCpBC89b0QsfHcm:R6lXJj6C6YUSU9gQgmf6e0jfJ
                                                                                                                                                                                          MD5:715A15483506FBACFEE2F0F388EC8513
                                                                                                                                                                                          SHA1:8F61782141DCE709134CE3A8A55C19B6E3B1D298
                                                                                                                                                                                          SHA-256:E7BEC3A21F97B53E4FA93177A23C764495D00FD589069F03817E01E6369DFAF8
                                                                                                                                                                                          SHA-512:EB3A399D10C7A3B53E7B06F2EBEE0419064B66BC742A49391545D01870CD8C771FE3984CCD6E2DB1C169F3727FEDA1C222E0928D5D5F27809016F6C9CFE53873
                                                                                                                                                                                          Malicious:false
                                                                                                                                                                                          Preview:..<.?.x.m.l. .v.e.r.s.i.o.n.=.".1...0.". .e.n.c.o.d.i.n.g.=.".U.T.F.-.1.6.".?.>.....<.W.E.R.R.e.p.o.r.t.M.e.t.a.d.a.t.a.>.......<.O.S.V.e.r.s.i.o.n.I.n.f.o.r.m.a.t.i.o.n.>.........<.W.i.n.d.o.w.s.N.T.V.e.r.s.i.o.n.>.1.0...0.<./.W.i.n.d.o.w.s.N.T.V.e.r.s.i.o.n.>.........<.B.u.i.l.d.>.1.9.0.4.5.<./.B.u.i.l.d.>.........<.P.r.o.d.u.c.t.>.(.0.x.3.0.).:. .W.i.n.d.o.w.s. .1.0. .P.r.o.<./.P.r.o.d.u.c.t.>.........<.E.d.i.t.i.o.n.>.P.r.o.f.e.s.s.i.o.n.a.l.<./.E.d.i.t.i.o.n.>.........<.B.u.i.l.d.S.t.r.i.n.g.>.1.9.0.4.1...2.0.0.6...a.m.d.6.4.f.r.e...v.b._.r.e.l.e.a.s.e...1.9.1.2.0.6.-.1.4.0.6.<./.B.u.i.l.d.S.t.r.i.n.g.>.........<.R.e.v.i.s.i.o.n.>.2.0.0.6.<./.R.e.v.i.s.i.o.n.>.........<.F.l.a.v.o.r.>.M.u.l.t.i.p.r.o.c.e.s.s.o.r. .F.r.e.e.<./.F.l.a.v.o.r.>.........<.A.r.c.h.i.t.e.c.t.u.r.e.>.X.6.4.<./.A.r.c.h.i.t.e.c.t.u.r.e.>.........<.L.C.I.D.>.2.0.5.7.<./.L.C.I.D.>.......<./.O.S.V.e.r.s.i.o.n.I.n.f.o.r.m.a.t.i.o.n.>.......<.P.r.o.c.e.s.s.I.n.f.o.r.m.a.t.i.o.n.>.........<.P.i.d.>.5.1.6.4.<./.P.i.

                                                                                                                                                                                          C:\ProgramData\Microsoft\Windows\WER\Temp\WER84BB.tmp.xml

                                                                                                                                                                                          Download File
                                                                                                                                                                                          Process:C:\Windows\SysWOW64\WerFault.exe
                                                                                                                                                                                          File Type:XML 1.0 document, ASCII text, with CRLF line terminators
                                                                                                                                                                                          Category:dropped
                                                                                                                                                                                          Size (bytes):4616
                                                                                                                                                                                          Entropy (8bit):4.486450955756427
                                                                                                                                                                                          Encrypted:false
                                                                                                                                                                                          SSDEEP:48:cvIwWl8zshJg77aI9YDWpW8VYSYm8M4JE4FD+q8SeOdqD8ed:uIjfzI7ey7VKJfKOkD8ed
                                                                                                                                                                                          MD5:4428954916FAB73EED7BE634F3FFCD9B
                                                                                                                                                                                          SHA1:011943980E4FE3C1FED41B21CBE4368162673E93
                                                                                                                                                                                          SHA-256:E406C1AB385D0EE565409D0D11BB0D432828C04B6FFD13DBCC72C0E22651469B
                                                                                                                                                                                          SHA-512:E3B0225028AB59E20B465F172E1720ED756C42FD2B19876C0EE4CF87DD2452C80E677226E333CE074DD46281A16D4FA5CA8E65D2AD1F141A3AD2A114A732B8E5
                                                                                                                                                                                          Malicious:false
                                                                                                                                                                                          Preview:<?xml version="1.0" encoding="UTF-8" standalone="yes"?>..<req ver="2">.. <tlm>.. <src>.. <desc>.. <mach>.. <os>.. <arg nm="vermaj" val="10" />.. <arg nm="vermin" val="0" />.. <arg nm="verbld" val="19045" />.. <arg nm="vercsdbld" val="2006" />.. <arg nm="verqfe" val="2006" />.. <arg nm="csdbld" val="2006" />.. <arg nm="versp" val="0" />.. <arg nm="arch" val="9" />.. <arg nm="lcid" val="2057" />.. <arg nm="geoid" val="223" />.. <arg nm="sku" val="48" />.. <arg nm="domain" val="0" />.. <arg nm="prodsuite" val="256" />.. <arg nm="ntprodtype" val="1" />.. <arg nm="platid" val="2" />.. <arg nm="tmsi" val="285044" />.. <arg nm="osinsty" val="1" />.. <arg nm="iever" val="11.789.19041.0-11.0.1000" />.. <arg nm="portos" val="0" />.. <arg nm="ram" val="409

                                                                                                                                                                                          C:\Users\user\AppData\Local\RageMP131\RageMP131.exe

                                                                                                                                                                                          Download File
                                                                                                                                                                                          Process:C:\Users\user\Desktop\dendy.exe
                                                                                                                                                                                          File Type:PE32 executable (GUI) Intel 80386, for MS Windows
                                                                                                                                                                                          Category:dropped
                                                                                                                                                                                          Size (bytes):909312
                                                                                                                                                                                          Entropy (8bit):7.543718231589517
                                                                                                                                                                                          Encrypted:false
                                                                                                                                                                                          SSDEEP:12288:nrpWNztODIkpIKLFkXLWR4ICfCjDmEtx9YGk5gtB2f1pnYbn+Bnd+WDbLEa:1ZIkqKz4/fa6SId229Gb+z+2LEa
                                                                                                                                                                                          MD5:446F080CD1ED262B4DD0C1FF2143297E
                                                                                                                                                                                          SHA1:B958C52622A02D7ED530F6D41A7E7C24A27F7918
                                                                                                                                                                                          SHA-256:A211901DEA69EAB959B9E47A6276BA7F363B6857687C410ADCAF56135586B7EA
                                                                                                                                                                                          SHA-512:B176604CB47C789B42DB3119DF7480B5B25C126682CC6AD769D963B1CAB228DA0DB277C1B007365962DA89D62657EE01CD5C153FEC00D2FB1AFE312B9D6488DE
                                                                                                                                                                                          Malicious:true
                                                                                                                                                                                          Antivirus:
                                                                                                                                                                                          • Antivirus: ReversingLabs, Detection: 83%
                                                                                                                                                                                          • Antivirus: Virustotal, Detection: 71%, Browse
                                                                                                                                                                                          Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$........:.D.[...[...[....+..[....=..[....:..[.......[...[...[....4..[....*..[..../..[..Rich.[..........................PE..L...$..d............................A.............@.................................*t......................................|...(.... ......................................................H...........@............................................text...}........................... ..`.rdata..P...........................@..@.data.....~......"..................@....tls................................@....rsrc........ ......................@..@........................................................................................................................................................................................................................................................................................................................

                                                                                                                                                                                          C:\Users\user\AppData\Local\RageMP131\RageMP131.exe:Zone.Identifier

                                                                                                                                                                                          Download File
                                                                                                                                                                                          Process:C:\Users\user\Desktop\dendy.exe
                                                                                                                                                                                          File Type:ASCII text, with CRLF line terminators
                                                                                                                                                                                          Category:dropped
                                                                                                                                                                                          Size (bytes):26
                                                                                                                                                                                          Entropy (8bit):3.95006375643621
                                                                                                                                                                                          Encrypted:false
                                                                                                                                                                                          SSDEEP:3:ggPYV:rPYV
                                                                                                                                                                                          MD5:187F488E27DB4AF347237FE461A079AD
                                                                                                                                                                                          SHA1:6693BA299EC1881249D59262276A0D2CB21F8E64
                                                                                                                                                                                          SHA-256:255A65D30841AB4082BD9D0EEA79D49C5EE88F56136157D8D6156AEF11C12309
                                                                                                                                                                                          SHA-512:89879F237C0C051EBE784D0690657A6827A312A82735DA42DAD5F744D734FC545BEC9642C19D14C05B2F01FF53BC731530C92F7327BB7DC9CDE1B60FB21CD64E
                                                                                                                                                                                          Malicious:false
                                                                                                                                                                                          Preview:[ZoneTransfer]....ZoneId=0

                                                                                                                                                                                          C:\Users\user\AppData\Local\Temp\6XWWeAeVicQTZ7HrJgfaAa9.zip

                                                                                                                                                                                          Download File
                                                                                                                                                                                          Process:C:\Users\user\Desktop\dendy.exe
                                                                                                                                                                                          File Type:Zip archive data, at least v2.0 to extract, compression method=deflate
                                                                                                                                                                                          Category:modified
                                                                                                                                                                                          Size (bytes):5523
                                                                                                                                                                                          Entropy (8bit):7.895841973301727
                                                                                                                                                                                          Encrypted:false
                                                                                                                                                                                          SSDEEP:96:ZWGzqeAoMq+YK0KF8cAJiI2i+u6QkyI3A3Wv/Dh43TS3KJL:tqASpF8wFZQTI3vd43m6JL
                                                                                                                                                                                          MD5:F291525A2CC01A1FD4636BEC25A58CD4
                                                                                                                                                                                          SHA1:1EC5AB6F6385531B92685411E37CDF03B5B79928
                                                                                                                                                                                          SHA-256:C4814E724B8F48B4688C6DD52C9769E427DC3D96BD6A5514A304BAB9DD4AF7CC
                                                                                                                                                                                          SHA-512:366319B5A520519851A39BEAF61E41DB7B1A2BE1EB08114957E7E4C1D4ED42DB54A92DAA7A27C70ADBF4F1A34BA7AEF765169309138B4164AC99644B1C56B4F6
                                                                                                                                                                                          Malicious:true
                                                                                                                                                                                          Yara Hits:
                                                                                                                                                                                          • Rule: JoeSecurity_RiseProStealer, Description: Yara detected RisePro Stealer, Source: C:\Users\user\AppData\Local\Temp\6XWWeAeVicQTZ7HrJgfaAa9.zip, Author: Joe Security
                                                                                                                                                                                          Preview:PK........FM.X................Cookies\..PK........FM.XQn.+............Cookies\Chrome_Default.txt.G..r...U.#.5C.....s$..-.D...7.\..$.G.)o....:....Z.C.f_..pm............"..t..t....}.k.@...a.2+P`.0.x.>....s..k%.._..b..P..((......B.....`.7..-m..JY..F....E.*.l.....I..&.....<J..M.......,V...)b.....Q..k......M?.5L....h}......X..'.0..tB.G...\;.a....4.......B4.......J.4.6.y:....4.-.UfE...3A*p.U5UX....Z.g:*e.j.C..Bw..........e..a^.vU:....$..U......B..`._.e.....+...9.{u...7.e...H.]02...%yR".0...x...P<..N....R.}....{.G...;..c..x...kw.'S>.d|.....B..k.9.t.!>.rh...~n.[....s#/....`.!..Kb8%&.vZB`....O|.....>K......L*...d0..03..t...T&.......`N.xp.."..J.......Q.....c..5...).Z.91.6.j..G.....Wr...a.52!..(^.U.....6....dB.D.^...7..0H.\J9.H.$^`e"..d...\....B.8Z=.qeP.3Y.>..'W.X..T..>z...,..K......g....%B.w4#...;.[]u|....v...3.;L..U?..b.....u..*..... .......F...P.a...|R*3.=......r.:.64...#D..^..>.A..ZT.]E........t...f...1..3.....`...X.....C.]%...p.p.ym

                                                                                                                                                                                          C:\Users\user\AppData\Local\Temp\7SoGIg_Dgh61RYTHw6zemBp.zip

                                                                                                                                                                                          Download File
                                                                                                                                                                                          Process:C:\ProgramData\MPGPH131\MPGPH131.exe
                                                                                                                                                                                          File Type:Zip archive data, at least v2.0 to extract, compression method=deflate
                                                                                                                                                                                          Category:modified
                                                                                                                                                                                          Size (bytes):5626
                                                                                                                                                                                          Entropy (8bit):7.893689001540579
                                                                                                                                                                                          Encrypted:false
                                                                                                                                                                                          SSDEEP:96:3UT29vHz9WQBavDziBP1Pe4McobRHSINuVRtR+QlLiCDF5qTypr3KJ1:3UT29Hz9WGFh1Pe4q4DA+F5R6J1
                                                                                                                                                                                          MD5:75EC89F83C64778CBFC0F9185ED9D848
                                                                                                                                                                                          SHA1:DF3827538B1F3F5B8849B3C70E3E789045E922DD
                                                                                                                                                                                          SHA-256:5959B64D804540E52C28652AD8211A5DA4FB7464BC42D10504346A3587EF85EB
                                                                                                                                                                                          SHA-512:41B3AB4F000A915E74FF2FDEBFDAED8F051DCBAB50ED5F6C1D87F728E2283948FA14BCFE68AE968C631736045A9882EBDEDC349B9FEF34D9E914A39CD7773086
                                                                                                                                                                                          Malicious:true
                                                                                                                                                                                          Yara Hits:
                                                                                                                                                                                          • Rule: JoeSecurity_RiseProStealer, Description: Yara detected RisePro Stealer, Source: C:\Users\user\AppData\Local\Temp\7SoGIg_Dgh61RYTHw6zemBp.zip, Author: Joe Security
                                                                                                                                                                                          Preview:PK........EM.X................Cookies\..PK........EM.X..s@..../......Cookies\Chrome_Default.txt.G.....5..G.BMx.....%.M...{...?.LH..71.t.....:y3..s./.0.m.%......../. ..!..A.C.........;...x...........!.2.....Z..<....*<.h8..<.q;.....9....gK.}.R.#f...A.E...1...?lR....b.....nS=l.%E&'...>x......h.......E)C..t..'.2<Z_@.........&Lk......0..B.mqk.9M1lf.-e@....E.v..R&..|..-....C.w.Y.K... ...*.....k..3..2W5.!vs.....S.~.......0._.*..e.....U...).....>...g+;...z[Ks....Z..d...|.".v..(...I....+.7.y.X@.H....eV.............Y..c..x...Kw.'S>.d|.....B..k.p..|C|F.......O52....`f.3W..../....i..E...7..c.Kwv..,]..C..j.2.T..+............t.2....6.M>..s..K.M...VJ..>;.......n.<f;]s.K..5...n....~$ ....%......Z#.....Q5...<n...I&......0<:..>..I.K)g.)..KX.H.(Y!..j4W.j..1.V..d\.T..,p...D...T..>z...,.....L.....Mh.t..!....A...!?.U...x..[a7j.N;#..t.\.#.Z.-)f...v_.<..?..`.D0..?......).vX.#...Lw.j...1.....M.#...+.W....h....U.W....G.w......'.Y?.....;.....`...X...C..w..

                                                                                                                                                                                          C:\Users\user\AppData\Local\Temp\adobe6Qz8rFkBJKgG\Cookies\Chrome_Default.txt

                                                                                                                                                                                          Download File
                                                                                                                                                                                          Process:C:\Users\user\AppData\Local\RageMP131\RageMP131.exe
                                                                                                                                                                                          File Type:ASCII text, with very long lines (769), with CRLF line terminators
                                                                                                                                                                                          Category:dropped
                                                                                                                                                                                          Size (bytes):6085
                                                                                                                                                                                          Entropy (8bit):6.038274200863744
                                                                                                                                                                                          Encrypted:false
                                                                                                                                                                                          SSDEEP:96:gxsumX/xKO2KbcRfbZJ5Jxjxcx1xcbza5BC126oxgxA26Fxr/CxbTxqCGYURxOeb:gWFXZQHRFJ5Pts7c3avC126Ygb6Lr/WY
                                                                                                                                                                                          MD5:ACB5AD34236C58F9F7D219FB628E3B58
                                                                                                                                                                                          SHA1:02E39404CA22F1368C46A7B8398F5F6001DB8F5C
                                                                                                                                                                                          SHA-256:05E5013B848C2E619226F9E7A084DC7DCD1B3D68EE45108F552DB113D21B49D1
                                                                                                                                                                                          SHA-512:5895F39765BA3CEDFD47D57203FD7E716347CD79277EDDCDC83A729A86E2E59F03F0E7B6B0D0E7C7A383755001EDACC82171052BE801E015E6BF7E6B9595767F
                                                                                                                                                                                          Malicious:false
                                                                                                                                                                                          Preview:.google.com.TRUE./.TRUE.1712145003.NID.ENC893*_djEw3+k+F2A/rK1XOX2BXUq6pY2LBCOzoXODiJnrrvDbDsPWiYwKZowg9PxHqkTm37HpwC52rXpnuUFrQMpV3iKtdSHegOm+XguZZ6tGaCY2hGVyR8JgIqQma1WLXyhCiWqjou7/c3qSeaKyNoUKHa4TULX4ZnNNtXFoCuZcBAAy4tYcz+0BF4j/0Pg+MgV+s7367kYcjO4q3zwc+XorjSs7PlgWlYrcc55rCJplhJ+H13M00HIdLm+1t9PACck2xxSWX2DsA61sEDJCHEc=_b3i0u6LLcKCMUaF/UlQgEPSL9PtLZ21CuT1dJkfCzME=*..support.microsoft.com.FALSE./.TRUE.1696413835..AspNetCore.AuthProvider.ENC893*_djEwVWJCCNyFkY3ZM/58ZZ/F/bz9H1yPvi6FOaroXC+KU8E=_b3i0u6LLcKCMUaF/UlQgEPSL9PtLZ21CuT1dJkfCzME=*..support.microsoft.com.TRUE./signin-oidc.TRUE.1696414135..AspNetCore.Correlation.mdRqPJxLbpyv7vX0eK9YkTR-xwcrW3VBLE4Y3HEvxuU.ENC893*_djEwBAKLrkJs5PZ6BD7Beoa9N/bOSh5JtRch10gZT+E=_b3i0u6LLcKCMUaF/UlQgEPSL9PtLZ21CuT1dJkfCzME=*..support.microsoft.com.TRUE./signin-oidc.TRUE.1696414135..AspNetCore.OpenIdConnect.Nonce.CfDJ8Kiuy_B5JgFMo7PeP95NLhqwcJ8koDy5pXkfoWsb5SbbU2hVCbsH2qt9GF_OVCqFkLEwhvzeADNQOF5RSmkDfh5RqfqlOkx5QWo4Lltvwb0CvwBFD8ujlm3BAglOeGca3ZatkLMUkH

                                                                                                                                                                                          C:\Users\user\AppData\Local\Temp\adobe6Qz8rFkBJKgG\information.txt

                                                                                                                                                                                          Download File
                                                                                                                                                                                          Process:C:\Users\user\AppData\Local\RageMP131\RageMP131.exe
                                                                                                                                                                                          File Type:ASCII text, with CRLF, LF line terminators
                                                                                                                                                                                          Category:dropped
                                                                                                                                                                                          Size (bytes):6043
                                                                                                                                                                                          Entropy (8bit):5.421697465850321
                                                                                                                                                                                          Encrypted:false
                                                                                                                                                                                          SSDEEP:96:x7B19mZRKkcT4Aisph+9hcB3Tp0vcxs9/FqR7+kAANUbg3x:xkIkvAtphWhcB3Tp00McPhB
                                                                                                                                                                                          MD5:11BADC527507E1095F58BAB2DF4B3429
                                                                                                                                                                                          SHA1:16AE1E5E92D792964A04DFB73D2F0A44F62DF6C7
                                                                                                                                                                                          SHA-256:D56A24DDCABEE6F3840B8A03B8D83EBE42590DBBBE0C2DA55FE1C4039DB41075
                                                                                                                                                                                          SHA-512:0CA5A32948E1F624DC09A76ABFE7F6B0FF7E1FAF58333376C13202167CA02505DAC852E1D2442786640AC015CF586F339A7FDDB8369E753458D3F9E039E24F6B
                                                                                                                                                                                          Malicious:false
                                                                                                                                                                                          Preview:Build: zorka..Version: 1.9....Date: Thu Apr 18 09:42:00 2024.MachineID: 9e146be9-c76a-4720-bcdb-53011b87bd06..GUID: {a33c7340-61ca-11ee-8c18-806e6f6e6963}..HWID: 753c4c2d8deab6dd7e693b7cc1ab050b....Path: C:\Users\user\AppData\Local\RageMP131\RageMP131.exe..Work Dir: C:\Users\user\AppData\Local\Temp\adobe6Qz8rFkBJKgG....IP: 81.181.57.52..Location: US, Atlanta..ZIP (Autofills): -..Windows: Windows 10 Pro [x64]..Computer Name: 061544 [WORKGROUP]..User Name: user..Display Resolution: 1280x1024..Display Language: en-CH..Keyboard Languages: English (United Kingdom) / English (United Kingdom)..Local Time: 18/4/2024 9:42:0..TimeZone: UTC1....[Hardware]..Processor: Intel(R) Core(TM)2 CPU 6600 @ 2.40 GHz..CPU Count: 4..RAM: 8191 MB..VideoCard #0: Microsoft Basic Display Adapter....[Processes]..System [4]..Registry [92]..smss.exe [324]..csrss.exe [408]..wininit.exe [484]..csrss.exe [492]..winlogon.exe [552]..services.exe [620]..lsass.exe [628]..svchost.exe [752]..fontdrvhost.exe [776]..fontdrv

                                                                                                                                                                                          C:\Users\user\AppData\Local\Temp\adobe6Qz8rFkBJKgG\passwords.txt

                                                                                                                                                                                          Download File
                                                                                                                                                                                          Process:C:\Users\user\AppData\Local\RageMP131\RageMP131.exe
                                                                                                                                                                                          File Type:Unicode text, UTF-8 text, with CRLF, LF line terminators
                                                                                                                                                                                          Category:dropped
                                                                                                                                                                                          Size (bytes):4897
                                                                                                                                                                                          Entropy (8bit):2.518316437186352
                                                                                                                                                                                          Encrypted:false
                                                                                                                                                                                          SSDEEP:48:4MMMMMMMMMMdMMMM1MMMMMMMM1MMMMMMMM1MMMMMMMM1MMMMMMMMMMdMMMMMMMM3:q
                                                                                                                                                                                          MD5:B3E9D0E1B8207AA74CB8812BAAF52EAE
                                                                                                                                                                                          SHA1:A2DCE0FB6B0BBC955A1E72EF3D87CADCC6E3CC6B
                                                                                                                                                                                          SHA-256:4993311FC913771ACB526BB5EF73682EDA69CD31AC14D25502E7BDA578FFA37C
                                                                                                                                                                                          SHA-512:B17ADF4AA80CADC581A09C72800DA22F62E5FB32953123F2C513D2E88753C430CC996E82AAE7190C8CB3340FCF2D9E0D759D99D909D2461369275FBE5C68C27A
                                                                                                                                                                                          Malicious:false
                                                                                                                                                                                          Preview:................................................................................................................................................................................................................................................................................................................................................

                                                                                                                                                                                          C:\Users\user\AppData\Local\Temp\adobeMPBzMuKRxBXT\Cookies\Chrome_Default.txt

                                                                                                                                                                                          Download File
                                                                                                                                                                                          Process:C:\ProgramData\MPGPH131\MPGPH131.exe
                                                                                                                                                                                          File Type:ASCII text, with very long lines (769), with CRLF line terminators
                                                                                                                                                                                          Category:dropped
                                                                                                                                                                                          Size (bytes):12170
                                                                                                                                                                                          Entropy (8bit):6.038274200863744
                                                                                                                                                                                          Encrypted:false
                                                                                                                                                                                          SSDEEP:192:gWFXZQHRFJ5Pts7c3avC126Ygb6Lr/WhHGYUnOTNC5IcXkWFXZQHRFJ5Pts7c3aP:gwsPbtKvCpqq40wsPbtKvCpqq47
                                                                                                                                                                                          MD5:B6F52D24FC4333CE4C66DDA3C3735C85
                                                                                                                                                                                          SHA1:5B69F1D66E95EFE2CF1710E9F58526B2AAEC67E4
                                                                                                                                                                                          SHA-256:0FEE1A764F541EC6733DB89C823296650F6E581CD7D812D5A142B5A0AD9BC9B6
                                                                                                                                                                                          SHA-512:CD2C6D64083061D7C7A7E89CF9C9F7D2B66301C73CFB56D2CCD94D1B810DE42774DAE5B77DB2E567A26FC54989C04D8A60D76225E6F3F91FCD2AE4D2E01F3C4C
                                                                                                                                                                                          Malicious:false
                                                                                                                                                                                          Preview:.google.com.TRUE./.TRUE.1712145003.NID.ENC893*_djEw3+k+F2A/rK1XOX2BXUq6pY2LBCOzoXODiJnrrvDbDsPWiYwKZowg9PxHqkTm37HpwC52rXpnuUFrQMpV3iKtdSHegOm+XguZZ6tGaCY2hGVyR8JgIqQma1WLXyhCiWqjou7/c3qSeaKyNoUKHa4TULX4ZnNNtXFoCuZcBAAy4tYcz+0BF4j/0Pg+MgV+s7367kYcjO4q3zwc+XorjSs7PlgWlYrcc55rCJplhJ+H13M00HIdLm+1t9PACck2xxSWX2DsA61sEDJCHEc=_b3i0u6LLcKCMUaF/UlQgEPSL9PtLZ21CuT1dJkfCzME=*..support.microsoft.com.FALSE./.TRUE.1696413835..AspNetCore.AuthProvider.ENC893*_djEwVWJCCNyFkY3ZM/58ZZ/F/bz9H1yPvi6FOaroXC+KU8E=_b3i0u6LLcKCMUaF/UlQgEPSL9PtLZ21CuT1dJkfCzME=*..support.microsoft.com.TRUE./signin-oidc.TRUE.1696414135..AspNetCore.Correlation.mdRqPJxLbpyv7vX0eK9YkTR-xwcrW3VBLE4Y3HEvxuU.ENC893*_djEwBAKLrkJs5PZ6BD7Beoa9N/bOSh5JtRch10gZT+E=_b3i0u6LLcKCMUaF/UlQgEPSL9PtLZ21CuT1dJkfCzME=*..support.microsoft.com.TRUE./signin-oidc.TRUE.1696414135..AspNetCore.OpenIdConnect.Nonce.CfDJ8Kiuy_B5JgFMo7PeP95NLhqwcJ8koDy5pXkfoWsb5SbbU2hVCbsH2qt9GF_OVCqFkLEwhvzeADNQOF5RSmkDfh5RqfqlOkx5QWo4Lltvwb0CvwBFD8ujlm3BAglOeGca3ZatkLMUkH

                                                                                                                                                                                          C:\Users\user\AppData\Local\Temp\adobeMPBzMuKRxBXT\information.txt

                                                                                                                                                                                          Download File
                                                                                                                                                                                          Process:C:\ProgramData\MPGPH131\MPGPH131.exe
                                                                                                                                                                                          File Type:ASCII text, with CRLF, LF line terminators
                                                                                                                                                                                          Category:dropped
                                                                                                                                                                                          Size (bytes):5862
                                                                                                                                                                                          Entropy (8bit):5.415370469623048
                                                                                                                                                                                          Encrypted:false
                                                                                                                                                                                          SSDEEP:96:x7Bx9mZRKIcT4Aisph+9hcB3Tp0vcxs9/FqRTANUbg3x:x4IIvAtphWhcB3Tp00MjB
                                                                                                                                                                                          MD5:B6021223E3C95EDEC8CD781F6D9714BC
                                                                                                                                                                                          SHA1:D104D0FC8894609561917F71D249F006E1899D4E
                                                                                                                                                                                          SHA-256:DF06EFBC411B62260D241C174012A78FE3BAC34A92AE1253070E302BC9F74A28
                                                                                                                                                                                          SHA-512:9D3ABBD44B1812B07732A5D3AA3BDE35024F7AE8A551D586B868AA40704F7B9FAFF4870677BABD361E5CEED5DEB10AAB6BF88434EA59CF0B52FE4DE16FB5DE8F
                                                                                                                                                                                          Malicious:false
                                                                                                                                                                                          Preview:Build: zorka..Version: 1.9....Date: Thu Apr 18 09:41:56 2024.MachineID: 9e146be9-c76a-4720-bcdb-53011b87bd06..GUID: {a33c7340-61ca-11ee-8c18-806e6f6e6963}..HWID: 753c4c2d8deab6dd7e693b7cc1ab050b....Path: C:\ProgramData\MPGPH131\MPGPH131.exe..Work Dir: C:\Users\user\AppData\Local\Temp\adobeMPBzMuKRxBXT....IP: 81.181.57.52..Location: US, Atlanta..ZIP (Autofills): -..Windows: Windows 10 Pro [x64]..Computer Name: 061544 [WORKGROUP]..User Name: user..Display Resolution: 1280x1024..Display Language: en-CH..Keyboard Languages: English (United Kingdom) / English (United Kingdom)..Local Time: 18/4/2024 9:41:56..TimeZone: UTC1....[Hardware]..Processor: Intel(R) Core(TM)2 CPU 6600 @ 2.40 GHz..CPU Count: 4..RAM: 8191 MB..VideoCard #0: Microsoft Basic Display Adapter....[Processes]..System [4]..Registry [92]..smss.exe [324]..csrss.exe [408]..wininit.exe [484]..csrss.exe [492]..winlogon.exe [552]..services.exe [620]..lsass.exe [628]..svchost.exe [752]..fontdrvhost.exe [776]..fontdrvhost.exe [784].

                                                                                                                                                                                          C:\Users\user\AppData\Local\Temp\adobeMPBzMuKRxBXT\passwords.txt

                                                                                                                                                                                          Download File
                                                                                                                                                                                          Process:C:\ProgramData\MPGPH131\MPGPH131.exe
                                                                                                                                                                                          File Type:Unicode text, UTF-8 text, with CRLF, LF line terminators
                                                                                                                                                                                          Category:dropped
                                                                                                                                                                                          Size (bytes):4897
                                                                                                                                                                                          Entropy (8bit):2.518316437186352
                                                                                                                                                                                          Encrypted:false
                                                                                                                                                                                          SSDEEP:48:4MMMMMMMMMMdMMMM1MMMMMMMM1MMMMMMMM1MMMMMMMM1MMMMMMMMMMdMMMMMMMM3:q
                                                                                                                                                                                          MD5:B3E9D0E1B8207AA74CB8812BAAF52EAE
                                                                                                                                                                                          SHA1:A2DCE0FB6B0BBC955A1E72EF3D87CADCC6E3CC6B
                                                                                                                                                                                          SHA-256:4993311FC913771ACB526BB5EF73682EDA69CD31AC14D25502E7BDA578FFA37C
                                                                                                                                                                                          SHA-512:B17ADF4AA80CADC581A09C72800DA22F62E5FB32953123F2C513D2E88753C430CC996E82AAE7190C8CB3340FCF2D9E0D759D99D909D2461369275FBE5C68C27A
                                                                                                                                                                                          Malicious:false
                                                                                                                                                                                          Preview:................................................................................................................................................................................................................................................................................................................................................

                                                                                                                                                                                          C:\Users\user\AppData\Local\Temp\adobe_DCXbajIrPwg\Cookies\Chrome_Default.txt

                                                                                                                                                                                          Download File
                                                                                                                                                                                          Process:C:\Users\user\Desktop\dendy.exe
                                                                                                                                                                                          File Type:ASCII text, with very long lines (769), with CRLF line terminators
                                                                                                                                                                                          Category:dropped
                                                                                                                                                                                          Size (bytes):6085
                                                                                                                                                                                          Entropy (8bit):6.038274200863744
                                                                                                                                                                                          Encrypted:false
                                                                                                                                                                                          SSDEEP:96:gxsumX/xKO2KbcRfbZJ5Jxjxcx1xcbza5BC126oxgxA26Fxr/CxbTxqCGYURxOeb:gWFXZQHRFJ5Pts7c3avC126Ygb6Lr/WY
                                                                                                                                                                                          MD5:ACB5AD34236C58F9F7D219FB628E3B58
                                                                                                                                                                                          SHA1:02E39404CA22F1368C46A7B8398F5F6001DB8F5C
                                                                                                                                                                                          SHA-256:05E5013B848C2E619226F9E7A084DC7DCD1B3D68EE45108F552DB113D21B49D1
                                                                                                                                                                                          SHA-512:5895F39765BA3CEDFD47D57203FD7E716347CD79277EDDCDC83A729A86E2E59F03F0E7B6B0D0E7C7A383755001EDACC82171052BE801E015E6BF7E6B9595767F
                                                                                                                                                                                          Malicious:false
                                                                                                                                                                                          Preview:.google.com.TRUE./.TRUE.1712145003.NID.ENC893*_djEw3+k+F2A/rK1XOX2BXUq6pY2LBCOzoXODiJnrrvDbDsPWiYwKZowg9PxHqkTm37HpwC52rXpnuUFrQMpV3iKtdSHegOm+XguZZ6tGaCY2hGVyR8JgIqQma1WLXyhCiWqjou7/c3qSeaKyNoUKHa4TULX4ZnNNtXFoCuZcBAAy4tYcz+0BF4j/0Pg+MgV+s7367kYcjO4q3zwc+XorjSs7PlgWlYrcc55rCJplhJ+H13M00HIdLm+1t9PACck2xxSWX2DsA61sEDJCHEc=_b3i0u6LLcKCMUaF/UlQgEPSL9PtLZ21CuT1dJkfCzME=*..support.microsoft.com.FALSE./.TRUE.1696413835..AspNetCore.AuthProvider.ENC893*_djEwVWJCCNyFkY3ZM/58ZZ/F/bz9H1yPvi6FOaroXC+KU8E=_b3i0u6LLcKCMUaF/UlQgEPSL9PtLZ21CuT1dJkfCzME=*..support.microsoft.com.TRUE./signin-oidc.TRUE.1696414135..AspNetCore.Correlation.mdRqPJxLbpyv7vX0eK9YkTR-xwcrW3VBLE4Y3HEvxuU.ENC893*_djEwBAKLrkJs5PZ6BD7Beoa9N/bOSh5JtRch10gZT+E=_b3i0u6LLcKCMUaF/UlQgEPSL9PtLZ21CuT1dJkfCzME=*..support.microsoft.com.TRUE./signin-oidc.TRUE.1696414135..AspNetCore.OpenIdConnect.Nonce.CfDJ8Kiuy_B5JgFMo7PeP95NLhqwcJ8koDy5pXkfoWsb5SbbU2hVCbsH2qt9GF_OVCqFkLEwhvzeADNQOF5RSmkDfh5RqfqlOkx5QWo4Lltvwb0CvwBFD8ujlm3BAglOeGca3ZatkLMUkH

                                                                                                                                                                                          C:\Users\user\AppData\Local\Temp\adobe_DCXbajIrPwg\information.txt

                                                                                                                                                                                          Download File
                                                                                                                                                                                          Process:C:\Users\user\Desktop\dendy.exe
                                                                                                                                                                                          File Type:ASCII text, with CRLF, LF line terminators
                                                                                                                                                                                          Category:dropped
                                                                                                                                                                                          Size (bytes):5754
                                                                                                                                                                                          Entropy (8bit):5.4105680924592985
                                                                                                                                                                                          Encrypted:false
                                                                                                                                                                                          SSDEEP:96:x7BU95ZRKZcT4Aisph+9hcB3Tp0vcxs9/FqRJANUbg3x:xAIZvAtphWhcB3Tp00MZB
                                                                                                                                                                                          MD5:030D58C8BB3650BA4685BC7A6510EC7C
                                                                                                                                                                                          SHA1:96502D40226E19E717FCFEF0C4E2B3F316A01303
                                                                                                                                                                                          SHA-256:493BDF1652531590BCBD72180458864C5C68C9C2EF63F4B20477DE00181F6DAF
                                                                                                                                                                                          SHA-512:1C394B2FED2E7AFF9A5E138AF8AED87729B9E0E72DA6A982F4E68501C3B3314A2AEEC1050A02CE4F61E19136495A56C0D30DF54891CDD82407EC31125C6D5D4A
                                                                                                                                                                                          Malicious:false
                                                                                                                                                                                          Preview:Build: zorka..Version: 1.9....Date: Thu Apr 18 09:41:53 2024.MachineID: 9e146be9-c76a-4720-bcdb-53011b87bd06..GUID: {a33c7340-61ca-11ee-8c18-806e6f6e6963}..HWID: 753c4c2d8deab6dd7e693b7cc1ab050b....Path: C:\Users\user\Desktop\dendy.exe..Work Dir: C:\Users\user\AppData\Local\Temp\adobe_DCXbajIrPwg....IP: 81.181.57.52..Location: US, Atlanta..ZIP (Autofills): -..Windows: Windows 10 Pro [x64]..Computer Name: 061544 [WORKGROUP]..User Name: user..Display Resolution: 1280x1024..Display Language: en-CH..Keyboard Languages: English (United Kingdom) / English (United Kingdom)..Local Time: 18/4/2024 9:41:53..TimeZone: UTC1....[Hardware]..Processor: Intel(R) Core(TM)2 CPU 6600 @ 2.40 GHz..CPU Count: 4..RAM: 8191 MB..VideoCard #0: Microsoft Basic Display Adapter....[Processes]..System [4]..Registry [92]..smss.exe [324]..csrss.exe [408]..wininit.exe [484]..csrss.exe [492]..winlogon.exe [552]..services.exe [620]..lsass.exe [628]..svchost.exe [752]..fontdrvhost.exe [776]..fontdrvhost.exe [784]..svc

                                                                                                                                                                                          C:\Users\user\AppData\Local\Temp\adobe_DCXbajIrPwg\passwords.txt

                                                                                                                                                                                          Download File
                                                                                                                                                                                          Process:C:\Users\user\Desktop\dendy.exe
                                                                                                                                                                                          File Type:Unicode text, UTF-8 text, with CRLF, LF line terminators
                                                                                                                                                                                          Category:dropped
                                                                                                                                                                                          Size (bytes):4897
                                                                                                                                                                                          Entropy (8bit):2.518316437186352
                                                                                                                                                                                          Encrypted:false
                                                                                                                                                                                          SSDEEP:48:4MMMMMMMMMMdMMMM1MMMMMMMM1MMMMMMMM1MMMMMMMM1MMMMMMMMMMdMMMMMMMM3:q
                                                                                                                                                                                          MD5:B3E9D0E1B8207AA74CB8812BAAF52EAE
                                                                                                                                                                                          SHA1:A2DCE0FB6B0BBC955A1E72EF3D87CADCC6E3CC6B
                                                                                                                                                                                          SHA-256:4993311FC913771ACB526BB5EF73682EDA69CD31AC14D25502E7BDA578FFA37C
                                                                                                                                                                                          SHA-512:B17ADF4AA80CADC581A09C72800DA22F62E5FB32953123F2C513D2E88753C430CC996E82AAE7190C8CB3340FCF2D9E0D759D99D909D2461369275FBE5C68C27A
                                                                                                                                                                                          Malicious:false
                                                                                                                                                                                          Preview:................................................................................................................................................................................................................................................................................................................................................

                                                                                                                                                                                          C:\Users\user\AppData\Local\Temp\c9bTQaLpRNBVsUoe4pkuQMW.zip

                                                                                                                                                                                          Download File
                                                                                                                                                                                          Process:C:\Users\user\AppData\Local\RageMP131\RageMP131.exe
                                                                                                                                                                                          File Type:Zip archive data, at least v2.0 to extract, compression method=deflate
                                                                                                                                                                                          Category:dropped
                                                                                                                                                                                          Size (bytes):5583
                                                                                                                                                                                          Entropy (8bit):7.89873043026967
                                                                                                                                                                                          Encrypted:false
                                                                                                                                                                                          SSDEEP:96:ZWGzqeAoMq+YK0KF8cAJiI2i+uwEMxfTUUnAq5tGyTnX63KJd:tqASpF8wFR5Aq5EmX66Jd
                                                                                                                                                                                          MD5:D2C2BF6C23C7FFABCA7E2CA120E25F7C
                                                                                                                                                                                          SHA1:4EE5F3B723AB985465D729F234F8F0A0462470E9
                                                                                                                                                                                          SHA-256:703C615BC938C8A22F79916B1612B9D8A0BB1CF7EED56B5D74D7BB8E5CED0828
                                                                                                                                                                                          SHA-512:C108E1F047D061C5679DD576F83D0CB0002C491D895C4BA0BA4C42B3781CF7A5238E502157819DB2B0390E76022B5C6B42D269A26FDF9C16E88025EB615A89AA
                                                                                                                                                                                          Malicious:true
                                                                                                                                                                                          Yara Hits:
                                                                                                                                                                                          • Rule: JoeSecurity_RiseProStealer, Description: Yara detected RisePro Stealer, Source: C:\Users\user\AppData\Local\Temp\c9bTQaLpRNBVsUoe4pkuQMW.zip, Author: Joe Security
                                                                                                                                                                                          Preview:PK........FM.X................Cookies\..PK........FM.XQn.+............Cookies\Chrome_Default.txt.G..r...U.#.5C.....s$..-.D...7.\..$.G.)o....:....Z.C.f_..pm............"..t..t....}.k.@...a.2+P`.0.x.>....s..k%.._..b..P..((......B.....`.7..-m..JY..F....E.*.l.....I..&.....<J..M.......,V...)b.....Q..k......M?.5L....h}......X..'.0..tB.G...\;.a....4.......B4.......J.4.6.y:....4.-.UfE...3A*p.U5UX....Z.g:*e.j.C..Bw..........e..a^.vU:....$..U......B..`._.e.....+...9.{u...7.e...H.]02...%yR".0...x...P<..N....R.}....{.G...;..c..x...kw.'S>.d|.....B..k.9.t.!>.rh...~n.[....s#/....`.!..Kb8%&.vZB`....O|.....>K......L*...d0..03..t...T&.......`N.xp.."..J.......Q.....c..5...).Z.91.6.j..G.....Wr...a.52!..(^.U.....6....dB.D.^...7..0H.\J9.H.$^`e"..d...\....B.8Z=.qeP.3Y.>..'W.X..T..>z...,..K......g....%B.w4#...;.[]u|....v...3.;L..U?..b.....u..*..... .......F...P.a...|R*3.=......r.:.64...#D..^..>.A..ZT.]E........t...f...1..3.....`...X.....C.]%...p.p.ym

                                                                                                                                                                                          C:\Users\user\AppData\Local\Temp\heidi6Qz8rFkBJKgG\02zdBXl47cvzcookies.sqlite

                                                                                                                                                                                          Download File
                                                                                                                                                                                          Process:C:\Users\user\AppData\Local\RageMP131\RageMP131.exe
                                                                                                                                                                                          File Type:SQLite 3.x database, user version 12, last written using SQLite version 3042000, page size 32768, writer version 2, read version 2, file counter 3, database pages 3, cookie 0x1, schema 4, UTF-8, version-valid-for 3
                                                                                                                                                                                          Category:dropped
                                                                                                                                                                                          Size (bytes):98304
                                                                                                                                                                                          Entropy (8bit):0.08235737944063153
                                                                                                                                                                                          Encrypted:false
                                                                                                                                                                                          SSDEEP:12:DQAsfWk73Fmdmc/OPVJXfPNn43etRRfYR5O8atLqxeYaNcDakMG/lO:DQAsff32mNVpP965Ra8KN0MG/lO
                                                                                                                                                                                          MD5:369B6DD66F1CAD49D0952C40FEB9AD41
                                                                                                                                                                                          SHA1:D05B2DE29433FB113EC4C558FF33087ED7481DD4
                                                                                                                                                                                          SHA-256:14150D582B5321D91BDE0841066312AB3E6673CA51C982922BC293B82527220D
                                                                                                                                                                                          SHA-512:771054845B27274054B6C73776204C235C46E0C742ECF3E2D9B650772BA5D259C8867B2FA92C3A9413D3E1AD35589D8431AC683DF84A53E13CDE361789045928
                                                                                                                                                                                          Malicious:false
                                                                                                                                                                                          Preview:SQLite format 3......@ ..........................................................................j......}..}...........................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

                                                                                                                                                                                          C:\Users\user\AppData\Local\Temp\heidi6Qz8rFkBJKgG\0SUQ0f15JMK7Web Data

                                                                                                                                                                                          Download File
                                                                                                                                                                                          Process:C:\Users\user\AppData\Local\RageMP131\RageMP131.exe
                                                                                                                                                                                          File Type:SQLite 3.x database, last written using SQLite version 3042000, page size 2048, file counter 3, database pages 52, cookie 0x21, schema 4, UTF-8, version-valid-for 3
                                                                                                                                                                                          Category:dropped
                                                                                                                                                                                          Size (bytes):106496
                                                                                                                                                                                          Entropy (8bit):1.1358696453229276
                                                                                                                                                                                          Encrypted:false
                                                                                                                                                                                          SSDEEP:192:ZWTblyVZTnGtgTgabTanQeZVuSVumZa6c5/w4:MnlyfnGtxnfVuSVumEH544
                                                                                                                                                                                          MD5:28591AA4E12D1C4FC761BE7C0A468622
                                                                                                                                                                                          SHA1:BC4968A84C19377D05A8BB3F208FBFAC49F4820B
                                                                                                                                                                                          SHA-256:51624D124EFA3EE31EF43CB3D9ECFE98254D629957063747F4CA7061543B14B9
                                                                                                                                                                                          SHA-512:5DDC8C36538AB1415637B2FF6C35AED3A94639A0C2B0A36E256A1C4477AA5A356813D1368913BA3B6E8B770625CDCB94EE7BFC17FD7D324982CFE3BDEC2D32EB
                                                                                                                                                                                          Malicious:false
                                                                                                                                                                                          Preview:SQLite format 3......@ .......4...........!......................................................j............1........................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

                                                                                                                                                                                          C:\Users\user\AppData\Local\Temp\heidi6Qz8rFkBJKgG\3b6N2Xdh3CYwplaces.sqlite

                                                                                                                                                                                          Download File
                                                                                                                                                                                          Process:C:\Users\user\AppData\Local\RageMP131\RageMP131.exe
                                                                                                                                                                                          File Type:SQLite 3.x database, user version 75, last written using SQLite version 3042000, page size 32768, writer version 2, read version 2, file counter 2, database pages 46, cookie 0x26, schema 4, UTF-8, version-valid-for 2
                                                                                                                                                                                          Category:dropped
                                                                                                                                                                                          Size (bytes):5242880
                                                                                                                                                                                          Entropy (8bit):0.037963276276857943
                                                                                                                                                                                          Encrypted:false
                                                                                                                                                                                          SSDEEP:192:58rJQaXoMXp0VW9FxWZWdgokBQNba9D3DO/JxW/QHI:58r54w0VW3xWZWdOBQFal3dQ
                                                                                                                                                                                          MD5:C0FDF21AE11A6D1FA1201D502614B622
                                                                                                                                                                                          SHA1:11724034A1CC915B061316A96E79E9DA6A00ADE8
                                                                                                                                                                                          SHA-256:FD4EB46C81D27A9B3669C0D249DF5CE2B49E5F37B42F917CA38AB8831121ADAC
                                                                                                                                                                                          SHA-512:A6147C196B033725018C7F28C1E75E20C2113A0C6D8172F5EABCB8FF334EA6CE10B758FFD1D22D50B4DB5A0A21BCC15294AC44E94D973F7A3EB9F8558F31769B
                                                                                                                                                                                          Malicious:false
                                                                                                                                                                                          Preview:SQLite format 3......@ ...................&...................K..................................j.....-a>.~...|0{dz.z.z"y.y3x.xKw.v.u.uGt.t;sAs.q.p.q.p{o.ohn.nem.n,m9l.k.lPj.j.h.h.g.d.c.c6b.b.a.a>..................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

                                                                                                                                                                                          C:\Users\user\AppData\Local\Temp\heidi6Qz8rFkBJKgG\6xQrR_hJnX90Login Data For Account

                                                                                                                                                                                          Download File
                                                                                                                                                                                          Process:C:\Users\user\AppData\Local\RageMP131\RageMP131.exe
                                                                                                                                                                                          File Type:SQLite 3.x database, last written using SQLite version 3042000, page size 2048, file counter 1, database pages 20, cookie 0xb, schema 4, UTF-8, version-valid-for 1
                                                                                                                                                                                          Category:dropped
                                                                                                                                                                                          Size (bytes):40960
                                                                                                                                                                                          Entropy (8bit):0.8553638852307782
                                                                                                                                                                                          Encrypted:false
                                                                                                                                                                                          SSDEEP:48:2x7BA+IIF7CVEq8Ma0D0HOlf/6ykwp1EUwMHZq10bvJKLkw8s8LKvUf9KVyJ7h/f:QNDCn8MouB6wz8iZqmvJKLPeymwil
                                                                                                                                                                                          MD5:28222628A3465C5F0D4B28F70F97F482
                                                                                                                                                                                          SHA1:1BAA3DEB7DFD7C9B4CA9FDB540F236C24917DD14
                                                                                                                                                                                          SHA-256:93A6AF6939B17143531FA4474DFC564FA55359308B910E6F0DCA774D322C9BE4
                                                                                                                                                                                          SHA-512:C8FB93F658C1A654186FA6AA2039E40791E6B0A1260B223272BB01279A7B574E238B28217DADF3E1850C7083ADFA2FE5DA0CCE6F9BCABD59E1FFD1061B3A88F7
                                                                                                                                                                                          Malicious:false
                                                                                                                                                                                          Preview:SQLite format 3......@ ..........................................................................j.....................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

                                                                                                                                                                                          C:\Users\user\AppData\Local\Temp\heidi6Qz8rFkBJKgG\D87fZN3R3jFeplaces.sqlite

                                                                                                                                                                                          Download File
                                                                                                                                                                                          Process:C:\Users\user\AppData\Local\RageMP131\RageMP131.exe
                                                                                                                                                                                          File Type:SQLite 3.x database, user version 75, last written using SQLite version 3042000, page size 32768, writer version 2, read version 2, file counter 2, database pages 46, cookie 0x26, schema 4, UTF-8, version-valid-for 2
                                                                                                                                                                                          Category:dropped
                                                                                                                                                                                          Size (bytes):5242880
                                                                                                                                                                                          Entropy (8bit):0.037963276276857943
                                                                                                                                                                                          Encrypted:false
                                                                                                                                                                                          SSDEEP:192:58rJQaXoMXp0VW9FxWZWdgokBQNba9D3DO/JxW/QHI:58r54w0VW3xWZWdOBQFal3dQ
                                                                                                                                                                                          MD5:C0FDF21AE11A6D1FA1201D502614B622
                                                                                                                                                                                          SHA1:11724034A1CC915B061316A96E79E9DA6A00ADE8
                                                                                                                                                                                          SHA-256:FD4EB46C81D27A9B3669C0D249DF5CE2B49E5F37B42F917CA38AB8831121ADAC
                                                                                                                                                                                          SHA-512:A6147C196B033725018C7F28C1E75E20C2113A0C6D8172F5EABCB8FF334EA6CE10B758FFD1D22D50B4DB5A0A21BCC15294AC44E94D973F7A3EB9F8558F31769B
                                                                                                                                                                                          Malicious:false
                                                                                                                                                                                          Preview:SQLite format 3......@ ...................&...................K..................................j.....-a>.~...|0{dz.z.z"y.y3x.xKw.v.u.uGt.t;sAs.q.p.q.p{o.ohn.nem.n,m9l.k.lPj.j.h.h.g.d.c.c6b.b.a.a>..................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

                                                                                                                                                                                          C:\Users\user\AppData\Local\Temp\heidi6Qz8rFkBJKgG\GrE_iBTQJdDJHistory

                                                                                                                                                                                          Download File
                                                                                                                                                                                          Process:C:\Users\user\AppData\Local\RageMP131\RageMP131.exe
                                                                                                                                                                                          File Type:SQLite 3.x database, last written using SQLite version 3042000, file counter 4, database pages 39, cookie 0x20, schema 4, UTF-8, version-valid-for 4
                                                                                                                                                                                          Category:dropped
                                                                                                                                                                                          Size (bytes):159744
                                                                                                                                                                                          Entropy (8bit):0.7873599747470391
                                                                                                                                                                                          Encrypted:false
                                                                                                                                                                                          SSDEEP:96:pn6pld6px0c2EDKFm5wTmN8ewmdaDKFmJ4ee7vuejzH+bF+UIYysX0IxQzh/tsVL:8Ys3QMmRtH+bF+UI3iN0RSV0k3qLyj9v
                                                                                                                                                                                          MD5:6A6BAD38068B0F6F2CADC6464C4FE8F0
                                                                                                                                                                                          SHA1:4E3B235898D8E900548613DDB6EA59CDA5EB4E68
                                                                                                                                                                                          SHA-256:0998615B274171FC74AAB4E70FD355AF513186B74A4EB07AAA883782E6497982
                                                                                                                                                                                          SHA-512:BFE41E5AB5851C92308A097FE9DA4F215875AC2C7D7A483B066585071EE6086B5A7BE6D80CEC18027A3B88AA5C0A477730B22A41406A6AB344FCD9C659B9CB0A
                                                                                                                                                                                          Malicious:false
                                                                                                                                                                                          Preview:SQLite format 3......@ .......'........... ......................................................j.....................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

                                                                                                                                                                                          C:\Users\user\AppData\Local\Temp\heidi6Qz8rFkBJKgG\LWKdqyAhSnWPLogin Data

                                                                                                                                                                                          Download File
                                                                                                                                                                                          Process:C:\Users\user\AppData\Local\RageMP131\RageMP131.exe
                                                                                                                                                                                          File Type:SQLite 3.x database, last written using SQLite version 3035005, page size 2048, file counter 1, database pages 24, cookie 0xe, schema 4, UTF-8, version-valid-for 1
                                                                                                                                                                                          Category:dropped
                                                                                                                                                                                          Size (bytes):49152
                                                                                                                                                                                          Entropy (8bit):0.8180424350137764
                                                                                                                                                                                          Encrypted:false
                                                                                                                                                                                          SSDEEP:96:uRMKLyeymwxCn8MZyFlSynlbiXyKwt8hG:uRkxGOXnlbibhG
                                                                                                                                                                                          MD5:349E6EB110E34A08924D92F6B334801D
                                                                                                                                                                                          SHA1:BDFB289DAFF51890CC71697B6322AA4B35EC9169
                                                                                                                                                                                          SHA-256:C9FD7BE4579E4AA942E8C2B44AB10115FA6C2FE6AFD0C584865413D9D53F3B2A
                                                                                                                                                                                          SHA-512:2A635B815A5E117EA181EE79305EE1BAF591459427ACC5210D8C6C7E447BE3513EAD871C605EB3D32E4AB4111B2A335F26520D0EF8C1245A4AF44E1FAEC44574
                                                                                                                                                                                          Malicious:false
                                                                                                                                                                                          Preview:SQLite format 3......@ ..........................................................................O}....................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

                                                                                                                                                                                          C:\Users\user\AppData\Local\Temp\heidi6Qz8rFkBJKgG\NuTl_5zQHhB1Web Data

                                                                                                                                                                                          Download File
                                                                                                                                                                                          Process:C:\Users\user\AppData\Local\RageMP131\RageMP131.exe
                                                                                                                                                                                          File Type:SQLite 3.x database, last written using SQLite version 3042000, page size 2048, file counter 3, database pages 52, cookie 0x21, schema 4, UTF-8, version-valid-for 3
                                                                                                                                                                                          Category:dropped
                                                                                                                                                                                          Size (bytes):106496
                                                                                                                                                                                          Entropy (8bit):1.1358696453229276
                                                                                                                                                                                          Encrypted:false
                                                                                                                                                                                          SSDEEP:192:ZWTblyVZTnGtgTgabTanQeZVuSVumZa6c5/w4:MnlyfnGtxnfVuSVumEH544
                                                                                                                                                                                          MD5:28591AA4E12D1C4FC761BE7C0A468622
                                                                                                                                                                                          SHA1:BC4968A84C19377D05A8BB3F208FBFAC49F4820B
                                                                                                                                                                                          SHA-256:51624D124EFA3EE31EF43CB3D9ECFE98254D629957063747F4CA7061543B14B9
                                                                                                                                                                                          SHA-512:5DDC8C36538AB1415637B2FF6C35AED3A94639A0C2B0A36E256A1C4477AA5A356813D1368913BA3B6E8B770625CDCB94EE7BFC17FD7D324982CFE3BDEC2D32EB
                                                                                                                                                                                          Malicious:false
                                                                                                                                                                                          Preview:SQLite format 3......@ .......4...........!......................................................j............1........................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

                                                                                                                                                                                          C:\Users\user\AppData\Local\Temp\heidi6Qz8rFkBJKgG\VIFFOsfry3qSHistory

                                                                                                                                                                                          Download File
                                                                                                                                                                                          Process:C:\Users\user\AppData\Local\RageMP131\RageMP131.exe
                                                                                                                                                                                          File Type:SQLite 3.x database, last written using SQLite version 3035005, file counter 2, database pages 31, cookie 0x18, schema 4, UTF-8, version-valid-for 2
                                                                                                                                                                                          Category:dropped
                                                                                                                                                                                          Size (bytes):126976
                                                                                                                                                                                          Entropy (8bit):0.47147045728725767
                                                                                                                                                                                          Encrypted:false
                                                                                                                                                                                          SSDEEP:96:/WU+bDoYysX0uhnyTpvVjN9DLjGQLBE3u:/l+bDo3irhnyTpvVj3XBBE3u
                                                                                                                                                                                          MD5:A2D1F4CF66465F9F0CAC61C4A95C7EDE
                                                                                                                                                                                          SHA1:BA6A845E247B221AAEC96C4213E1FD3744B10A27
                                                                                                                                                                                          SHA-256:B510DF8D67E38DCAE51FE97A3924228AD37CF823999FD3BC6BA44CA6535DE8FE
                                                                                                                                                                                          SHA-512:C571E5125C005EAC0F0B72B5F132AE03783AF8D621BFA32B366B0E8A825EF8F65E33CD330E42BDC722BFA012E3447A7218F05FDD4A5AD855C1CA22DFA2F79838
                                                                                                                                                                                          Malicious:false
                                                                                                                                                                                          Preview:SQLite format 3......@ ..........................................................................O}....................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

                                                                                                                                                                                          C:\Users\user\AppData\Local\Temp\heidi6Qz8rFkBJKgG\XEPXj5v8mkStCookies

                                                                                                                                                                                          Download File
                                                                                                                                                                                          Process:C:\Users\user\AppData\Local\RageMP131\RageMP131.exe
                                                                                                                                                                                          File Type:SQLite 3.x database, last written using SQLite version 3042000, file counter 11, database pages 7, cookie 0x3, schema 4, UTF-8, version-valid-for 11
                                                                                                                                                                                          Category:dropped
                                                                                                                                                                                          Size (bytes):28672
                                                                                                                                                                                          Entropy (8bit):2.5793180405395284
                                                                                                                                                                                          Encrypted:false
                                                                                                                                                                                          SSDEEP:96:/xealJiylsMjLslk5nYPphZEhcR2hO2mOeVgN8tmKqWkh3qzRk4PeOhZ3hcR1hOI:/xGZR8wbtxq5uWRHKloIN7YItnb6Ggz
                                                                                                                                                                                          MD5:41EA9A4112F057AE6BA17E2838AEAC26
                                                                                                                                                                                          SHA1:F2B389103BFD1A1A050C4857A995B09FEAFE8903
                                                                                                                                                                                          SHA-256:CE84656EAEFC842355D668E7141F84383D3A0C819AE01B26A04F9021EF0AC9DB
                                                                                                                                                                                          SHA-512:29E848AD16D458F81D8C4F4E288094B4CFC103AD99B4511ED1A4846542F9128736A87AAC5F4BFFBEFE7DF99A05EB230911EDCE99FEE3877DEC130C2781962103
                                                                                                                                                                                          Malicious:false
                                                                                                                                                                                          Preview:SQLite format 3......@ ..........................................................................j..........g...$......................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

                                                                                                                                                                                          C:\Users\user\AppData\Local\Temp\heidi6Qz8rFkBJKgG\YXdO0FNFZMXPWeb Data

                                                                                                                                                                                          Download File
                                                                                                                                                                                          Process:C:\Users\user\AppData\Local\RageMP131\RageMP131.exe
                                                                                                                                                                                          File Type:SQLite 3.x database, last written using SQLite version 3035005, page size 2048, file counter 2, database pages 56, cookie 0x24, schema 4, UTF-8, version-valid-for 2
                                                                                                                                                                                          Category:dropped
                                                                                                                                                                                          Size (bytes):114688
                                                                                                                                                                                          Entropy (8bit):0.9746603542602881
                                                                                                                                                                                          Encrypted:false
                                                                                                                                                                                          SSDEEP:192:CwbUJ6IH9xhomnGCTjHbRjCLqtzKWJaW:CfJ6a9xpnQLqtzKWJn
                                                                                                                                                                                          MD5:780853CDDEAEE8DE70F28A4B255A600B
                                                                                                                                                                                          SHA1:AD7A5DA33F7AD12946153C497E990720B09005ED
                                                                                                                                                                                          SHA-256:1055FF62DE3DEA7645C732583242ADF4164BDCFB9DD37D9B35BBB9510D59B0A3
                                                                                                                                                                                          SHA-512:E422863112084BB8D11C682482E780CD63C2F20C8E3A93ED3B9EFD1B04D53EB5D3C8081851CA89B74D66F3D9AB48EB5F6C74550484F46E7C6E460A8250C9B1D8
                                                                                                                                                                                          Malicious:false
                                                                                                                                                                                          Preview:SQLite format 3......@ .......8...........$......................................................O}...........4........................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

                                                                                                                                                                                          C:\Users\user\AppData\Local\Temp\heidi6Qz8rFkBJKgG\fd7hv5c9m7PWLogin Data

                                                                                                                                                                                          Download File
                                                                                                                                                                                          Process:C:\Users\user\AppData\Local\RageMP131\RageMP131.exe
                                                                                                                                                                                          File Type:SQLite 3.x database, last written using SQLite version 3042000, page size 2048, file counter 1, database pages 20, cookie 0xb, schema 4, UTF-8, version-valid-for 1
                                                                                                                                                                                          Category:dropped
                                                                                                                                                                                          Size (bytes):40960
                                                                                                                                                                                          Entropy (8bit):0.8553638852307782
                                                                                                                                                                                          Encrypted:false
                                                                                                                                                                                          SSDEEP:48:2x7BA+IIF7CVEq8Ma0D0HOlf/6ykwp1EUwMHZq10bvJKLkw8s8LKvUf9KVyJ7h/f:QNDCn8MouB6wz8iZqmvJKLPeymwil
                                                                                                                                                                                          MD5:28222628A3465C5F0D4B28F70F97F482
                                                                                                                                                                                          SHA1:1BAA3DEB7DFD7C9B4CA9FDB540F236C24917DD14
                                                                                                                                                                                          SHA-256:93A6AF6939B17143531FA4474DFC564FA55359308B910E6F0DCA774D322C9BE4
                                                                                                                                                                                          SHA-512:C8FB93F658C1A654186FA6AA2039E40791E6B0A1260B223272BB01279A7B574E238B28217DADF3E1850C7083ADFA2FE5DA0CCE6F9BCABD59E1FFD1061B3A88F7
                                                                                                                                                                                          Malicious:false
                                                                                                                                                                                          Preview:SQLite format 3......@ ..........................................................................j.....................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

                                                                                                                                                                                          C:\Users\user\AppData\Local\Temp\heidi6Qz8rFkBJKgG\hCv8TVXXESZkHistory

                                                                                                                                                                                          Download File
                                                                                                                                                                                          Process:C:\Users\user\AppData\Local\RageMP131\RageMP131.exe
                                                                                                                                                                                          File Type:SQLite 3.x database, last written using SQLite version 3035005, file counter 2, database pages 31, cookie 0x18, schema 4, UTF-8, version-valid-for 2
                                                                                                                                                                                          Category:dropped
                                                                                                                                                                                          Size (bytes):126976
                                                                                                                                                                                          Entropy (8bit):0.47147045728725767
                                                                                                                                                                                          Encrypted:false
                                                                                                                                                                                          SSDEEP:96:/WU+bDoYysX0uhnyTpvVjN9DLjGQLBE3u:/l+bDo3irhnyTpvVj3XBBE3u
                                                                                                                                                                                          MD5:A2D1F4CF66465F9F0CAC61C4A95C7EDE
                                                                                                                                                                                          SHA1:BA6A845E247B221AAEC96C4213E1FD3744B10A27
                                                                                                                                                                                          SHA-256:B510DF8D67E38DCAE51FE97A3924228AD37CF823999FD3BC6BA44CA6535DE8FE
                                                                                                                                                                                          SHA-512:C571E5125C005EAC0F0B72B5F132AE03783AF8D621BFA32B366B0E8A825EF8F65E33CD330E42BDC722BFA012E3447A7218F05FDD4A5AD855C1CA22DFA2F79838
                                                                                                                                                                                          Malicious:false
                                                                                                                                                                                          Preview:SQLite format 3......@ ..........................................................................O}....................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

                                                                                                                                                                                          C:\Users\user\AppData\Local\Temp\heidi6Qz8rFkBJKgG\pbkJaPMaY9JtWeb Data

                                                                                                                                                                                          Download File
                                                                                                                                                                                          Process:C:\Users\user\AppData\Local\RageMP131\RageMP131.exe
                                                                                                                                                                                          File Type:SQLite 3.x database, last written using SQLite version 3035005, page size 2048, file counter 2, database pages 56, cookie 0x24, schema 4, UTF-8, version-valid-for 2
                                                                                                                                                                                          Category:dropped
                                                                                                                                                                                          Size (bytes):114688
                                                                                                                                                                                          Entropy (8bit):0.9746603542602881
                                                                                                                                                                                          Encrypted:false
                                                                                                                                                                                          SSDEEP:192:CwbUJ6IH9xhomnGCTjHbRjCLqtzKWJaW:CfJ6a9xpnQLqtzKWJn
                                                                                                                                                                                          MD5:780853CDDEAEE8DE70F28A4B255A600B
                                                                                                                                                                                          SHA1:AD7A5DA33F7AD12946153C497E990720B09005ED
                                                                                                                                                                                          SHA-256:1055FF62DE3DEA7645C732583242ADF4164BDCFB9DD37D9B35BBB9510D59B0A3
                                                                                                                                                                                          SHA-512:E422863112084BB8D11C682482E780CD63C2F20C8E3A93ED3B9EFD1B04D53EB5D3C8081851CA89B74D66F3D9AB48EB5F6C74550484F46E7C6E460A8250C9B1D8
                                                                                                                                                                                          Malicious:false
                                                                                                                                                                                          Preview:SQLite format 3......@ .......8...........$......................................................O}...........4........................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

                                                                                                                                                                                          C:\Users\user\AppData\Local\Temp\heidi6Qz8rFkBJKgG\xLkPmPbriQeYHistory

                                                                                                                                                                                          Download File
                                                                                                                                                                                          Process:C:\Users\user\AppData\Local\RageMP131\RageMP131.exe
                                                                                                                                                                                          File Type:SQLite 3.x database, last written using SQLite version 3042000, file counter 4, database pages 39, cookie 0x20, schema 4, UTF-8, version-valid-for 4
                                                                                                                                                                                          Category:dropped
                                                                                                                                                                                          Size (bytes):159744
                                                                                                                                                                                          Entropy (8bit):0.7873599747470391
                                                                                                                                                                                          Encrypted:false
                                                                                                                                                                                          SSDEEP:96:pn6pld6px0c2EDKFm5wTmN8ewmdaDKFmJ4ee7vuejzH+bF+UIYysX0IxQzh/tsVL:8Ys3QMmRtH+bF+UI3iN0RSV0k3qLyj9v
                                                                                                                                                                                          MD5:6A6BAD38068B0F6F2CADC6464C4FE8F0
                                                                                                                                                                                          SHA1:4E3B235898D8E900548613DDB6EA59CDA5EB4E68
                                                                                                                                                                                          SHA-256:0998615B274171FC74AAB4E70FD355AF513186B74A4EB07AAA883782E6497982
                                                                                                                                                                                          SHA-512:BFE41E5AB5851C92308A097FE9DA4F215875AC2C7D7A483B066585071EE6086B5A7BE6D80CEC18027A3B88AA5C0A477730B22A41406A6AB344FCD9C659B9CB0A
                                                                                                                                                                                          Malicious:false
                                                                                                                                                                                          Preview:SQLite format 3......@ .......'........... ......................................................j.....................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

                                                                                                                                                                                          C:\Users\user\AppData\Local\Temp\heidi6Qz8rFkBJKgG\xjqD6LmmUXwRWeb Data

                                                                                                                                                                                          Download File
                                                                                                                                                                                          Process:C:\Users\user\AppData\Local\RageMP131\RageMP131.exe
                                                                                                                                                                                          File Type:SQLite 3.x database, last written using SQLite version 3042000, page size 2048, file counter 3, database pages 52, cookie 0x21, schema 4, UTF-8, version-valid-for 3
                                                                                                                                                                                          Category:dropped
                                                                                                                                                                                          Size (bytes):106496
                                                                                                                                                                                          Entropy (8bit):1.1358696453229276
                                                                                                                                                                                          Encrypted:false
                                                                                                                                                                                          SSDEEP:192:ZWTblyVZTnGtgTgabTanQeZVuSVumZa6c5/w4:MnlyfnGtxnfVuSVumEH544
                                                                                                                                                                                          MD5:28591AA4E12D1C4FC761BE7C0A468622
                                                                                                                                                                                          SHA1:BC4968A84C19377D05A8BB3F208FBFAC49F4820B
                                                                                                                                                                                          SHA-256:51624D124EFA3EE31EF43CB3D9ECFE98254D629957063747F4CA7061543B14B9
                                                                                                                                                                                          SHA-512:5DDC8C36538AB1415637B2FF6C35AED3A94639A0C2B0A36E256A1C4477AA5A356813D1368913BA3B6E8B770625CDCB94EE7BFC17FD7D324982CFE3BDEC2D32EB
                                                                                                                                                                                          Malicious:false
                                                                                                                                                                                          Preview:SQLite format 3......@ .......4...........!......................................................j............1........................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

                                                                                                                                                                                          C:\Users\user\AppData\Local\Temp\heidi6Qz8rFkBJKgG\zYbZR7DAArvUWeb Data

                                                                                                                                                                                          Download File
                                                                                                                                                                                          Process:C:\Users\user\AppData\Local\RageMP131\RageMP131.exe
                                                                                                                                                                                          File Type:SQLite 3.x database, last written using SQLite version 3035005, page size 2048, file counter 2, database pages 56, cookie 0x24, schema 4, UTF-8, version-valid-for 2
                                                                                                                                                                                          Category:dropped
                                                                                                                                                                                          Size (bytes):114688
                                                                                                                                                                                          Entropy (8bit):0.9746603542602881
                                                                                                                                                                                          Encrypted:false
                                                                                                                                                                                          SSDEEP:192:CwbUJ6IH9xhomnGCTjHbRjCLqtzKWJaW:CfJ6a9xpnQLqtzKWJn
                                                                                                                                                                                          MD5:780853CDDEAEE8DE70F28A4B255A600B
                                                                                                                                                                                          SHA1:AD7A5DA33F7AD12946153C497E990720B09005ED
                                                                                                                                                                                          SHA-256:1055FF62DE3DEA7645C732583242ADF4164BDCFB9DD37D9B35BBB9510D59B0A3
                                                                                                                                                                                          SHA-512:E422863112084BB8D11C682482E780CD63C2F20C8E3A93ED3B9EFD1B04D53EB5D3C8081851CA89B74D66F3D9AB48EB5F6C74550484F46E7C6E460A8250C9B1D8
                                                                                                                                                                                          Malicious:false
                                                                                                                                                                                          Preview:SQLite format 3......@ .......8...........$......................................................O}...........4........................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

                                                                                                                                                                                          C:\Users\user\AppData\Local\Temp\heidiMPBzMuKRxBXT\02zdBXl47cvzcookies.sqlite

                                                                                                                                                                                          Download File
                                                                                                                                                                                          Process:C:\ProgramData\MPGPH131\MPGPH131.exe
                                                                                                                                                                                          File Type:SQLite 3.x database, user version 12, last written using SQLite version 3042000, page size 32768, writer version 2, read version 2, file counter 3, database pages 3, cookie 0x1, schema 4, UTF-8, version-valid-for 3
                                                                                                                                                                                          Category:dropped
                                                                                                                                                                                          Size (bytes):98304
                                                                                                                                                                                          Entropy (8bit):0.08235737944063153
                                                                                                                                                                                          Encrypted:false
                                                                                                                                                                                          SSDEEP:12:DQAsfWk73Fmdmc/OPVJXfPNn43etRRfYR5O8atLqxeYaNcDakMG/lO:DQAsff32mNVpP965Ra8KN0MG/lO
                                                                                                                                                                                          MD5:369B6DD66F1CAD49D0952C40FEB9AD41
                                                                                                                                                                                          SHA1:D05B2DE29433FB113EC4C558FF33087ED7481DD4
                                                                                                                                                                                          SHA-256:14150D582B5321D91BDE0841066312AB3E6673CA51C982922BC293B82527220D
                                                                                                                                                                                          SHA-512:771054845B27274054B6C73776204C235C46E0C742ECF3E2D9B650772BA5D259C8867B2FA92C3A9413D3E1AD35589D8431AC683DF84A53E13CDE361789045928
                                                                                                                                                                                          Malicious:false
                                                                                                                                                                                          Preview:SQLite format 3......@ ..........................................................................j......}..}...........................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

                                                                                                                                                                                          C:\Users\user\AppData\Local\Temp\heidiMPBzMuKRxBXT\2l02O9W1_FhwWeb Data

                                                                                                                                                                                          Download File
                                                                                                                                                                                          Process:C:\ProgramData\MPGPH131\MPGPH131.exe
                                                                                                                                                                                          File Type:SQLite 3.x database, last written using SQLite version 3042000, page size 2048, file counter 3, database pages 52, cookie 0x21, schema 4, UTF-8, version-valid-for 3
                                                                                                                                                                                          Category:dropped
                                                                                                                                                                                          Size (bytes):106496
                                                                                                                                                                                          Entropy (8bit):1.1358696453229276
                                                                                                                                                                                          Encrypted:false
                                                                                                                                                                                          SSDEEP:192:ZWTblyVZTnGtgTgabTanQeZVuSVumZa6c5/w4:MnlyfnGtxnfVuSVumEH544
                                                                                                                                                                                          MD5:28591AA4E12D1C4FC761BE7C0A468622
                                                                                                                                                                                          SHA1:BC4968A84C19377D05A8BB3F208FBFAC49F4820B
                                                                                                                                                                                          SHA-256:51624D124EFA3EE31EF43CB3D9ECFE98254D629957063747F4CA7061543B14B9
                                                                                                                                                                                          SHA-512:5DDC8C36538AB1415637B2FF6C35AED3A94639A0C2B0A36E256A1C4477AA5A356813D1368913BA3B6E8B770625CDCB94EE7BFC17FD7D324982CFE3BDEC2D32EB
                                                                                                                                                                                          Malicious:false
                                                                                                                                                                                          Preview:SQLite format 3......@ .......4...........!......................................................j............1........................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

                                                                                                                                                                                          C:\Users\user\AppData\Local\Temp\heidiMPBzMuKRxBXT\3b6N2Xdh3CYwplaces.sqlite

                                                                                                                                                                                          Download File
                                                                                                                                                                                          Process:C:\ProgramData\MPGPH131\MPGPH131.exe
                                                                                                                                                                                          File Type:SQLite 3.x database, user version 75, last written using SQLite version 3042000, page size 32768, writer version 2, read version 2, file counter 2, database pages 46, cookie 0x26, schema 4, UTF-8, version-valid-for 2
                                                                                                                                                                                          Category:dropped
                                                                                                                                                                                          Size (bytes):5242880
                                                                                                                                                                                          Entropy (8bit):0.037963276276857943
                                                                                                                                                                                          Encrypted:false
                                                                                                                                                                                          SSDEEP:192:58rJQaXoMXp0VW9FxWZWdgokBQNba9D3DO/JxW/QHI:58r54w0VW3xWZWdOBQFal3dQ
                                                                                                                                                                                          MD5:C0FDF21AE11A6D1FA1201D502614B622
                                                                                                                                                                                          SHA1:11724034A1CC915B061316A96E79E9DA6A00ADE8
                                                                                                                                                                                          SHA-256:FD4EB46C81D27A9B3669C0D249DF5CE2B49E5F37B42F917CA38AB8831121ADAC
                                                                                                                                                                                          SHA-512:A6147C196B033725018C7F28C1E75E20C2113A0C6D8172F5EABCB8FF334EA6CE10B758FFD1D22D50B4DB5A0A21BCC15294AC44E94D973F7A3EB9F8558F31769B
                                                                                                                                                                                          Malicious:false
                                                                                                                                                                                          Preview:SQLite format 3......@ ...................&...................K..................................j.....-a>.~...|0{dz.z.z"y.y3x.xKw.v.u.uGt.t;sAs.q.p.q.p{o.ohn.nem.n,m9l.k.lPj.j.h.h.g.d.c.c6b.b.a.a>..................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

                                                                                                                                                                                          C:\Users\user\AppData\Local\Temp\heidiMPBzMuKRxBXT\4hARhjpljgnYHistory

                                                                                                                                                                                          Download File
                                                                                                                                                                                          Process:C:\ProgramData\MPGPH131\MPGPH131.exe
                                                                                                                                                                                          File Type:SQLite 3.x database, last written using SQLite version 3035005, file counter 2, database pages 31, cookie 0x18, schema 4, UTF-8, version-valid-for 2
                                                                                                                                                                                          Category:dropped
                                                                                                                                                                                          Size (bytes):126976
                                                                                                                                                                                          Entropy (8bit):0.47147045728725767
                                                                                                                                                                                          Encrypted:false
                                                                                                                                                                                          SSDEEP:96:/WU+bDoYysX0uhnyTpvVjN9DLjGQLBE3u:/l+bDo3irhnyTpvVj3XBBE3u
                                                                                                                                                                                          MD5:A2D1F4CF66465F9F0CAC61C4A95C7EDE
                                                                                                                                                                                          SHA1:BA6A845E247B221AAEC96C4213E1FD3744B10A27
                                                                                                                                                                                          SHA-256:B510DF8D67E38DCAE51FE97A3924228AD37CF823999FD3BC6BA44CA6535DE8FE
                                                                                                                                                                                          SHA-512:C571E5125C005EAC0F0B72B5F132AE03783AF8D621BFA32B366B0E8A825EF8F65E33CD330E42BDC722BFA012E3447A7218F05FDD4A5AD855C1CA22DFA2F79838
                                                                                                                                                                                          Malicious:false
                                                                                                                                                                                          Preview:SQLite format 3......@ ..........................................................................O}....................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

                                                                                                                                                                                          C:\Users\user\AppData\Local\Temp\heidiMPBzMuKRxBXT\4yZUYxDepIZ1Web Data

                                                                                                                                                                                          Download File
                                                                                                                                                                                          Process:C:\ProgramData\MPGPH131\MPGPH131.exe
                                                                                                                                                                                          File Type:SQLite 3.x database, last written using SQLite version 3035005, page size 2048, file counter 2, database pages 56, cookie 0x24, schema 4, UTF-8, version-valid-for 2
                                                                                                                                                                                          Category:dropped
                                                                                                                                                                                          Size (bytes):114688
                                                                                                                                                                                          Entropy (8bit):0.9746603542602881
                                                                                                                                                                                          Encrypted:false
                                                                                                                                                                                          SSDEEP:192:CwbUJ6IH9xhomnGCTjHbRjCLqtzKWJaW:CfJ6a9xpnQLqtzKWJn
                                                                                                                                                                                          MD5:780853CDDEAEE8DE70F28A4B255A600B
                                                                                                                                                                                          SHA1:AD7A5DA33F7AD12946153C497E990720B09005ED
                                                                                                                                                                                          SHA-256:1055FF62DE3DEA7645C732583242ADF4164BDCFB9DD37D9B35BBB9510D59B0A3
                                                                                                                                                                                          SHA-512:E422863112084BB8D11C682482E780CD63C2F20C8E3A93ED3B9EFD1B04D53EB5D3C8081851CA89B74D66F3D9AB48EB5F6C74550484F46E7C6E460A8250C9B1D8
                                                                                                                                                                                          Malicious:false
                                                                                                                                                                                          Preview:SQLite format 3......@ .......8...........$......................................................O}...........4........................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

                                                                                                                                                                                          C:\Users\user\AppData\Local\Temp\heidiMPBzMuKRxBXT\7QP8D56XEcyNHistory

                                                                                                                                                                                          Download File
                                                                                                                                                                                          Process:C:\ProgramData\MPGPH131\MPGPH131.exe
                                                                                                                                                                                          File Type:SQLite 3.x database, last written using SQLite version 3042000, file counter 4, database pages 39, cookie 0x20, schema 4, UTF-8, version-valid-for 4
                                                                                                                                                                                          Category:dropped
                                                                                                                                                                                          Size (bytes):159744
                                                                                                                                                                                          Entropy (8bit):0.7873599747470391
                                                                                                                                                                                          Encrypted:false
                                                                                                                                                                                          SSDEEP:96:pn6pld6px0c2EDKFm5wTmN8ewmdaDKFmJ4ee7vuejzH+bF+UIYysX0IxQzh/tsVL:8Ys3QMmRtH+bF+UI3iN0RSV0k3qLyj9v
                                                                                                                                                                                          MD5:6A6BAD38068B0F6F2CADC6464C4FE8F0
                                                                                                                                                                                          SHA1:4E3B235898D8E900548613DDB6EA59CDA5EB4E68
                                                                                                                                                                                          SHA-256:0998615B274171FC74AAB4E70FD355AF513186B74A4EB07AAA883782E6497982
                                                                                                                                                                                          SHA-512:BFE41E5AB5851C92308A097FE9DA4F215875AC2C7D7A483B066585071EE6086B5A7BE6D80CEC18027A3B88AA5C0A477730B22A41406A6AB344FCD9C659B9CB0A
                                                                                                                                                                                          Malicious:false
                                                                                                                                                                                          Preview:SQLite format 3......@ .......'........... ......................................................j.....................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

                                                                                                                                                                                          C:\Users\user\AppData\Local\Temp\heidiMPBzMuKRxBXT\BAKulPcBRmujHistory

                                                                                                                                                                                          Download File
                                                                                                                                                                                          Process:C:\ProgramData\MPGPH131\MPGPH131.exe
                                                                                                                                                                                          File Type:SQLite 3.x database, last written using SQLite version 3035005, file counter 2, database pages 31, cookie 0x18, schema 4, UTF-8, version-valid-for 2
                                                                                                                                                                                          Category:dropped
                                                                                                                                                                                          Size (bytes):126976
                                                                                                                                                                                          Entropy (8bit):0.47147045728725767
                                                                                                                                                                                          Encrypted:false
                                                                                                                                                                                          SSDEEP:96:/WU+bDoYysX0uhnyTpvVjN9DLjGQLBE3u:/l+bDo3irhnyTpvVj3XBBE3u
                                                                                                                                                                                          MD5:A2D1F4CF66465F9F0CAC61C4A95C7EDE
                                                                                                                                                                                          SHA1:BA6A845E247B221AAEC96C4213E1FD3744B10A27
                                                                                                                                                                                          SHA-256:B510DF8D67E38DCAE51FE97A3924228AD37CF823999FD3BC6BA44CA6535DE8FE
                                                                                                                                                                                          SHA-512:C571E5125C005EAC0F0B72B5F132AE03783AF8D621BFA32B366B0E8A825EF8F65E33CD330E42BDC722BFA012E3447A7218F05FDD4A5AD855C1CA22DFA2F79838
                                                                                                                                                                                          Malicious:false
                                                                                                                                                                                          Preview:SQLite format 3......@ ..........................................................................O}....................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

                                                                                                                                                                                          C:\Users\user\AppData\Local\Temp\heidiMPBzMuKRxBXT\BYnglavidnY6Login Data

                                                                                                                                                                                          Download File
                                                                                                                                                                                          Process:C:\ProgramData\MPGPH131\MPGPH131.exe
                                                                                                                                                                                          File Type:SQLite 3.x database, last written using SQLite version 3042000, page size 2048, file counter 1, database pages 20, cookie 0xb, schema 4, UTF-8, version-valid-for 1
                                                                                                                                                                                          Category:dropped
                                                                                                                                                                                          Size (bytes):40960
                                                                                                                                                                                          Entropy (8bit):0.8553638852307782
                                                                                                                                                                                          Encrypted:false
                                                                                                                                                                                          SSDEEP:48:2x7BA+IIF7CVEq8Ma0D0HOlf/6ykwp1EUwMHZq10bvJKLkw8s8LKvUf9KVyJ7h/f:QNDCn8MouB6wz8iZqmvJKLPeymwil
                                                                                                                                                                                          MD5:28222628A3465C5F0D4B28F70F97F482
                                                                                                                                                                                          SHA1:1BAA3DEB7DFD7C9B4CA9FDB540F236C24917DD14
                                                                                                                                                                                          SHA-256:93A6AF6939B17143531FA4474DFC564FA55359308B910E6F0DCA774D322C9BE4
                                                                                                                                                                                          SHA-512:C8FB93F658C1A654186FA6AA2039E40791E6B0A1260B223272BB01279A7B574E238B28217DADF3E1850C7083ADFA2FE5DA0CCE6F9BCABD59E1FFD1061B3A88F7
                                                                                                                                                                                          Malicious:false
                                                                                                                                                                                          Preview:SQLite format 3......@ ..........................................................................j.....................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

                                                                                                                                                                                          C:\Users\user\AppData\Local\Temp\heidiMPBzMuKRxBXT\D87fZN3R3jFeplaces.sqlite

                                                                                                                                                                                          Download File
                                                                                                                                                                                          Process:C:\ProgramData\MPGPH131\MPGPH131.exe
                                                                                                                                                                                          File Type:SQLite 3.x database, user version 75, last written using SQLite version 3042000, page size 32768, writer version 2, read version 2, file counter 2, database pages 46, cookie 0x26, schema 4, UTF-8, version-valid-for 2
                                                                                                                                                                                          Category:dropped
                                                                                                                                                                                          Size (bytes):5242880
                                                                                                                                                                                          Entropy (8bit):0.037963276276857943
                                                                                                                                                                                          Encrypted:false
                                                                                                                                                                                          SSDEEP:192:58rJQaXoMXp0VW9FxWZWdgokBQNba9D3DO/JxW/QHI:58r54w0VW3xWZWdOBQFal3dQ
                                                                                                                                                                                          MD5:C0FDF21AE11A6D1FA1201D502614B622
                                                                                                                                                                                          SHA1:11724034A1CC915B061316A96E79E9DA6A00ADE8
                                                                                                                                                                                          SHA-256:FD4EB46C81D27A9B3669C0D249DF5CE2B49E5F37B42F917CA38AB8831121ADAC
                                                                                                                                                                                          SHA-512:A6147C196B033725018C7F28C1E75E20C2113A0C6D8172F5EABCB8FF334EA6CE10B758FFD1D22D50B4DB5A0A21BCC15294AC44E94D973F7A3EB9F8558F31769B
                                                                                                                                                                                          Malicious:false
                                                                                                                                                                                          Preview:SQLite format 3......@ ...................&...................K..................................j.....-a>.~...|0{dz.z.z"y.y3x.xKw.v.u.uGt.t;sAs.q.p.q.p{o.ohn.nem.n,m9l.k.lPj.j.h.h.g.d.c.c6b.b.a.a>..................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

                                                                                                                                                                                          C:\Users\user\AppData\Local\Temp\heidiMPBzMuKRxBXT\FDWjNP4RsRAAWeb Data

                                                                                                                                                                                          Download File
                                                                                                                                                                                          Process:C:\ProgramData\MPGPH131\MPGPH131.exe
                                                                                                                                                                                          File Type:SQLite 3.x database, last written using SQLite version 3042000, page size 2048, file counter 3, database pages 52, cookie 0x21, schema 4, UTF-8, version-valid-for 3
                                                                                                                                                                                          Category:dropped
                                                                                                                                                                                          Size (bytes):106496
                                                                                                                                                                                          Entropy (8bit):1.1358696453229276
                                                                                                                                                                                          Encrypted:false
                                                                                                                                                                                          SSDEEP:192:ZWTblyVZTnGtgTgabTanQeZVuSVumZa6c5/w4:MnlyfnGtxnfVuSVumEH544
                                                                                                                                                                                          MD5:28591AA4E12D1C4FC761BE7C0A468622
                                                                                                                                                                                          SHA1:BC4968A84C19377D05A8BB3F208FBFAC49F4820B
                                                                                                                                                                                          SHA-256:51624D124EFA3EE31EF43CB3D9ECFE98254D629957063747F4CA7061543B14B9
                                                                                                                                                                                          SHA-512:5DDC8C36538AB1415637B2FF6C35AED3A94639A0C2B0A36E256A1C4477AA5A356813D1368913BA3B6E8B770625CDCB94EE7BFC17FD7D324982CFE3BDEC2D32EB
                                                                                                                                                                                          Malicious:false
                                                                                                                                                                                          Preview:SQLite format 3......@ .......4...........!......................................................j............1........................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

                                                                                                                                                                                          C:\Users\user\AppData\Local\Temp\heidiMPBzMuKRxBXT\Lx2g_U4O1ewNWeb Data

                                                                                                                                                                                          Download File
                                                                                                                                                                                          Process:C:\ProgramData\MPGPH131\MPGPH131.exe
                                                                                                                                                                                          File Type:SQLite 3.x database, last written using SQLite version 3035005, page size 2048, file counter 2, database pages 56, cookie 0x24, schema 4, UTF-8, version-valid-for 2
                                                                                                                                                                                          Category:dropped
                                                                                                                                                                                          Size (bytes):114688
                                                                                                                                                                                          Entropy (8bit):0.9746603542602881
                                                                                                                                                                                          Encrypted:false
                                                                                                                                                                                          SSDEEP:192:CwbUJ6IH9xhomnGCTjHbRjCLqtzKWJaW:CfJ6a9xpnQLqtzKWJn
                                                                                                                                                                                          MD5:780853CDDEAEE8DE70F28A4B255A600B
                                                                                                                                                                                          SHA1:AD7A5DA33F7AD12946153C497E990720B09005ED
                                                                                                                                                                                          SHA-256:1055FF62DE3DEA7645C732583242ADF4164BDCFB9DD37D9B35BBB9510D59B0A3
                                                                                                                                                                                          SHA-512:E422863112084BB8D11C682482E780CD63C2F20C8E3A93ED3B9EFD1B04D53EB5D3C8081851CA89B74D66F3D9AB48EB5F6C74550484F46E7C6E460A8250C9B1D8
                                                                                                                                                                                          Malicious:false
                                                                                                                                                                                          Preview:SQLite format 3......@ .......8...........$......................................................O}...........4........................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

                                                                                                                                                                                          C:\Users\user\AppData\Local\Temp\heidiMPBzMuKRxBXT\fNgu77Rnk80sHistory

                                                                                                                                                                                          Download File
                                                                                                                                                                                          Process:C:\ProgramData\MPGPH131\MPGPH131.exe
                                                                                                                                                                                          File Type:SQLite 3.x database, last written using SQLite version 3042000, file counter 4, database pages 39, cookie 0x20, schema 4, UTF-8, version-valid-for 4
                                                                                                                                                                                          Category:dropped
                                                                                                                                                                                          Size (bytes):159744
                                                                                                                                                                                          Entropy (8bit):0.7873599747470391
                                                                                                                                                                                          Encrypted:false
                                                                                                                                                                                          SSDEEP:96:pn6pld6px0c2EDKFm5wTmN8ewmdaDKFmJ4ee7vuejzH+bF+UIYysX0IxQzh/tsVL:8Ys3QMmRtH+bF+UI3iN0RSV0k3qLyj9v
                                                                                                                                                                                          MD5:6A6BAD38068B0F6F2CADC6464C4FE8F0
                                                                                                                                                                                          SHA1:4E3B235898D8E900548613DDB6EA59CDA5EB4E68
                                                                                                                                                                                          SHA-256:0998615B274171FC74AAB4E70FD355AF513186B74A4EB07AAA883782E6497982
                                                                                                                                                                                          SHA-512:BFE41E5AB5851C92308A097FE9DA4F215875AC2C7D7A483B066585071EE6086B5A7BE6D80CEC18027A3B88AA5C0A477730B22A41406A6AB344FCD9C659B9CB0A
                                                                                                                                                                                          Malicious:false
                                                                                                                                                                                          Preview:SQLite format 3......@ .......'........... ......................................................j.....................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

                                                                                                                                                                                          C:\Users\user\AppData\Local\Temp\heidiMPBzMuKRxBXT\fXJWNy96hYVoWeb Data

                                                                                                                                                                                          Download File
                                                                                                                                                                                          Process:C:\ProgramData\MPGPH131\MPGPH131.exe
                                                                                                                                                                                          File Type:SQLite 3.x database, last written using SQLite version 3035005, page size 2048, file counter 2, database pages 56, cookie 0x24, schema 4, UTF-8, version-valid-for 2
                                                                                                                                                                                          Category:dropped
                                                                                                                                                                                          Size (bytes):114688
                                                                                                                                                                                          Entropy (8bit):0.9746603542602881
                                                                                                                                                                                          Encrypted:false
                                                                                                                                                                                          SSDEEP:192:CwbUJ6IH9xhomnGCTjHbRjCLqtzKWJaW:CfJ6a9xpnQLqtzKWJn
                                                                                                                                                                                          MD5:780853CDDEAEE8DE70F28A4B255A600B
                                                                                                                                                                                          SHA1:AD7A5DA33F7AD12946153C497E990720B09005ED
                                                                                                                                                                                          SHA-256:1055FF62DE3DEA7645C732583242ADF4164BDCFB9DD37D9B35BBB9510D59B0A3
                                                                                                                                                                                          SHA-512:E422863112084BB8D11C682482E780CD63C2F20C8E3A93ED3B9EFD1B04D53EB5D3C8081851CA89B74D66F3D9AB48EB5F6C74550484F46E7C6E460A8250C9B1D8
                                                                                                                                                                                          Malicious:false
                                                                                                                                                                                          Preview:SQLite format 3......@ .......8...........$......................................................O}...........4........................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

                                                                                                                                                                                          C:\Users\user\AppData\Local\Temp\heidiMPBzMuKRxBXT\hd0ZRJK8jbpUCookies

                                                                                                                                                                                          Download File
                                                                                                                                                                                          Process:C:\ProgramData\MPGPH131\MPGPH131.exe
                                                                                                                                                                                          File Type:SQLite 3.x database, last written using SQLite version 3042000, file counter 11, database pages 7, cookie 0x3, schema 4, UTF-8, version-valid-for 11
                                                                                                                                                                                          Category:dropped
                                                                                                                                                                                          Size (bytes):28672
                                                                                                                                                                                          Entropy (8bit):2.5793180405395284
                                                                                                                                                                                          Encrypted:false
                                                                                                                                                                                          SSDEEP:96:/xealJiylsMjLslk5nYPphZEhcR2hO2mOeVgN8tmKqWkh3qzRk4PeOhZ3hcR1hOI:/xGZR8wbtxq5uWRHKloIN7YItnb6Ggz
                                                                                                                                                                                          MD5:41EA9A4112F057AE6BA17E2838AEAC26
                                                                                                                                                                                          SHA1:F2B389103BFD1A1A050C4857A995B09FEAFE8903
                                                                                                                                                                                          SHA-256:CE84656EAEFC842355D668E7141F84383D3A0C819AE01B26A04F9021EF0AC9DB
                                                                                                                                                                                          SHA-512:29E848AD16D458F81D8C4F4E288094B4CFC103AD99B4511ED1A4846542F9128736A87AAC5F4BFFBEFE7DF99A05EB230911EDCE99FEE3877DEC130C2781962103
                                                                                                                                                                                          Malicious:false
                                                                                                                                                                                          Preview:SQLite format 3......@ ..........................................................................j..........g...$......................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

                                                                                                                                                                                          C:\Users\user\AppData\Local\Temp\heidiMPBzMuKRxBXT\lt1lRsmiPxELLogin Data

                                                                                                                                                                                          Download File
                                                                                                                                                                                          Process:C:\ProgramData\MPGPH131\MPGPH131.exe
                                                                                                                                                                                          File Type:SQLite 3.x database, last written using SQLite version 3035005, page size 2048, file counter 1, database pages 24, cookie 0xe, schema 4, UTF-8, version-valid-for 1
                                                                                                                                                                                          Category:dropped
                                                                                                                                                                                          Size (bytes):49152
                                                                                                                                                                                          Entropy (8bit):0.8180424350137764
                                                                                                                                                                                          Encrypted:false
                                                                                                                                                                                          SSDEEP:96:uRMKLyeymwxCn8MZyFlSynlbiXyKwt8hG:uRkxGOXnlbibhG
                                                                                                                                                                                          MD5:349E6EB110E34A08924D92F6B334801D
                                                                                                                                                                                          SHA1:BDFB289DAFF51890CC71697B6322AA4B35EC9169
                                                                                                                                                                                          SHA-256:C9FD7BE4579E4AA942E8C2B44AB10115FA6C2FE6AFD0C584865413D9D53F3B2A
                                                                                                                                                                                          SHA-512:2A635B815A5E117EA181EE79305EE1BAF591459427ACC5210D8C6C7E447BE3513EAD871C605EB3D32E4AB4111B2A335F26520D0EF8C1245A4AF44E1FAEC44574
                                                                                                                                                                                          Malicious:false
                                                                                                                                                                                          Preview:SQLite format 3......@ ..........................................................................O}....................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

                                                                                                                                                                                          C:\Users\user\AppData\Local\Temp\heidiMPBzMuKRxBXT\o47QYaSXnflcWeb Data

                                                                                                                                                                                          Download File
                                                                                                                                                                                          Process:C:\ProgramData\MPGPH131\MPGPH131.exe
                                                                                                                                                                                          File Type:SQLite 3.x database, last written using SQLite version 3042000, page size 2048, file counter 3, database pages 52, cookie 0x21, schema 4, UTF-8, version-valid-for 3
                                                                                                                                                                                          Category:dropped
                                                                                                                                                                                          Size (bytes):106496
                                                                                                                                                                                          Entropy (8bit):1.1358696453229276
                                                                                                                                                                                          Encrypted:false
                                                                                                                                                                                          SSDEEP:192:ZWTblyVZTnGtgTgabTanQeZVuSVumZa6c5/w4:MnlyfnGtxnfVuSVumEH544
                                                                                                                                                                                          MD5:28591AA4E12D1C4FC761BE7C0A468622
                                                                                                                                                                                          SHA1:BC4968A84C19377D05A8BB3F208FBFAC49F4820B
                                                                                                                                                                                          SHA-256:51624D124EFA3EE31EF43CB3D9ECFE98254D629957063747F4CA7061543B14B9
                                                                                                                                                                                          SHA-512:5DDC8C36538AB1415637B2FF6C35AED3A94639A0C2B0A36E256A1C4477AA5A356813D1368913BA3B6E8B770625CDCB94EE7BFC17FD7D324982CFE3BDEC2D32EB
                                                                                                                                                                                          Malicious:false
                                                                                                                                                                                          Preview:SQLite format 3......@ .......4...........!......................................................j............1........................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

                                                                                                                                                                                          C:\Users\user\AppData\Local\Temp\heidiMPBzMuKRxBXT\s5KTHH5Pma1BLogin Data For Account

                                                                                                                                                                                          Download File
                                                                                                                                                                                          Process:C:\ProgramData\MPGPH131\MPGPH131.exe
                                                                                                                                                                                          File Type:SQLite 3.x database, last written using SQLite version 3042000, page size 2048, file counter 1, database pages 20, cookie 0xb, schema 4, UTF-8, version-valid-for 1
                                                                                                                                                                                          Category:dropped
                                                                                                                                                                                          Size (bytes):40960
                                                                                                                                                                                          Entropy (8bit):0.8553638852307782
                                                                                                                                                                                          Encrypted:false
                                                                                                                                                                                          SSDEEP:48:2x7BA+IIF7CVEq8Ma0D0HOlf/6ykwp1EUwMHZq10bvJKLkw8s8LKvUf9KVyJ7h/f:QNDCn8MouB6wz8iZqmvJKLPeymwil
                                                                                                                                                                                          MD5:28222628A3465C5F0D4B28F70F97F482
                                                                                                                                                                                          SHA1:1BAA3DEB7DFD7C9B4CA9FDB540F236C24917DD14
                                                                                                                                                                                          SHA-256:93A6AF6939B17143531FA4474DFC564FA55359308B910E6F0DCA774D322C9BE4
                                                                                                                                                                                          SHA-512:C8FB93F658C1A654186FA6AA2039E40791E6B0A1260B223272BB01279A7B574E238B28217DADF3E1850C7083ADFA2FE5DA0CCE6F9BCABD59E1FFD1061B3A88F7
                                                                                                                                                                                          Malicious:false
                                                                                                                                                                                          Preview:SQLite format 3......@ ..........................................................................j.....................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

                                                                                                                                                                                          C:\Users\user\AppData\Local\Temp\heidi_DCXbajIrPwg\02zdBXl47cvzcookies.sqlite

                                                                                                                                                                                          Download File
                                                                                                                                                                                          Process:C:\Users\user\Desktop\dendy.exe
                                                                                                                                                                                          File Type:SQLite 3.x database, user version 12, last written using SQLite version 3042000, page size 32768, writer version 2, read version 2, file counter 3, database pages 3, cookie 0x1, schema 4, UTF-8, version-valid-for 3
                                                                                                                                                                                          Category:dropped
                                                                                                                                                                                          Size (bytes):98304
                                                                                                                                                                                          Entropy (8bit):0.08235737944063153
                                                                                                                                                                                          Encrypted:false
                                                                                                                                                                                          SSDEEP:12:DQAsfWk73Fmdmc/OPVJXfPNn43etRRfYR5O8atLqxeYaNcDakMG/lO:DQAsff32mNVpP965Ra8KN0MG/lO
                                                                                                                                                                                          MD5:369B6DD66F1CAD49D0952C40FEB9AD41
                                                                                                                                                                                          SHA1:D05B2DE29433FB113EC4C558FF33087ED7481DD4
                                                                                                                                                                                          SHA-256:14150D582B5321D91BDE0841066312AB3E6673CA51C982922BC293B82527220D
                                                                                                                                                                                          SHA-512:771054845B27274054B6C73776204C235C46E0C742ECF3E2D9B650772BA5D259C8867B2FA92C3A9413D3E1AD35589D8431AC683DF84A53E13CDE361789045928
                                                                                                                                                                                          Malicious:false
                                                                                                                                                                                          Preview:SQLite format 3......@ ..........................................................................j......}..}...........................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

                                                                                                                                                                                          C:\Users\user\AppData\Local\Temp\heidi_DCXbajIrPwg\3b6N2Xdh3CYwplaces.sqlite

                                                                                                                                                                                          Download File
                                                                                                                                                                                          Process:C:\Users\user\Desktop\dendy.exe
                                                                                                                                                                                          File Type:SQLite 3.x database, user version 75, last written using SQLite version 3042000, page size 32768, writer version 2, read version 2, file counter 2, database pages 46, cookie 0x26, schema 4, UTF-8, version-valid-for 2
                                                                                                                                                                                          Category:dropped
                                                                                                                                                                                          Size (bytes):5242880
                                                                                                                                                                                          Entropy (8bit):0.037963276276857943
                                                                                                                                                                                          Encrypted:false
                                                                                                                                                                                          SSDEEP:192:58rJQaXoMXp0VW9FxWZWdgokBQNba9D3DO/JxW/QHI:58r54w0VW3xWZWdOBQFal3dQ
                                                                                                                                                                                          MD5:C0FDF21AE11A6D1FA1201D502614B622
                                                                                                                                                                                          SHA1:11724034A1CC915B061316A96E79E9DA6A00ADE8
                                                                                                                                                                                          SHA-256:FD4EB46C81D27A9B3669C0D249DF5CE2B49E5F37B42F917CA38AB8831121ADAC
                                                                                                                                                                                          SHA-512:A6147C196B033725018C7F28C1E75E20C2113A0C6D8172F5EABCB8FF334EA6CE10B758FFD1D22D50B4DB5A0A21BCC15294AC44E94D973F7A3EB9F8558F31769B
                                                                                                                                                                                          Malicious:false
                                                                                                                                                                                          Preview:SQLite format 3......@ ...................&...................K..................................j.....-a>.~...|0{dz.z.z"y.y3x.xKw.v.u.uGt.t;sAs.q.p.q.p{o.ohn.nem.n,m9l.k.lPj.j.h.h.g.d.c.c6b.b.a.a>..................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

                                                                                                                                                                                          C:\Users\user\AppData\Local\Temp\heidi_DCXbajIrPwg\9kIPQpaY4rvVHistory

                                                                                                                                                                                          Download File
                                                                                                                                                                                          Process:C:\Users\user\Desktop\dendy.exe
                                                                                                                                                                                          File Type:SQLite 3.x database, last written using SQLite version 3042000, file counter 4, database pages 39, cookie 0x20, schema 4, UTF-8, version-valid-for 4
                                                                                                                                                                                          Category:dropped
                                                                                                                                                                                          Size (bytes):159744
                                                                                                                                                                                          Entropy (8bit):0.7873599747470391
                                                                                                                                                                                          Encrypted:false
                                                                                                                                                                                          SSDEEP:96:pn6pld6px0c2EDKFm5wTmN8ewmdaDKFmJ4ee7vuejzH+bF+UIYysX0IxQzh/tsVL:8Ys3QMmRtH+bF+UI3iN0RSV0k3qLyj9v
                                                                                                                                                                                          MD5:6A6BAD38068B0F6F2CADC6464C4FE8F0
                                                                                                                                                                                          SHA1:4E3B235898D8E900548613DDB6EA59CDA5EB4E68
                                                                                                                                                                                          SHA-256:0998615B274171FC74AAB4E70FD355AF513186B74A4EB07AAA883782E6497982
                                                                                                                                                                                          SHA-512:BFE41E5AB5851C92308A097FE9DA4F215875AC2C7D7A483B066585071EE6086B5A7BE6D80CEC18027A3B88AA5C0A477730B22A41406A6AB344FCD9C659B9CB0A
                                                                                                                                                                                          Malicious:false
                                                                                                                                                                                          Preview:SQLite format 3......@ .......'........... ......................................................j.....................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

                                                                                                                                                                                          C:\Users\user\AppData\Local\Temp\heidi_DCXbajIrPwg\BpKPZ1MEPGssHistory

                                                                                                                                                                                          Download File
                                                                                                                                                                                          Process:C:\Users\user\Desktop\dendy.exe
                                                                                                                                                                                          File Type:SQLite 3.x database, last written using SQLite version 3035005, file counter 2, database pages 31, cookie 0x18, schema 4, UTF-8, version-valid-for 2
                                                                                                                                                                                          Category:dropped
                                                                                                                                                                                          Size (bytes):126976
                                                                                                                                                                                          Entropy (8bit):0.47147045728725767
                                                                                                                                                                                          Encrypted:false
                                                                                                                                                                                          SSDEEP:96:/WU+bDoYysX0uhnyTpvVjN9DLjGQLBE3u:/l+bDo3irhnyTpvVj3XBBE3u
                                                                                                                                                                                          MD5:A2D1F4CF66465F9F0CAC61C4A95C7EDE
                                                                                                                                                                                          SHA1:BA6A845E247B221AAEC96C4213E1FD3744B10A27
                                                                                                                                                                                          SHA-256:B510DF8D67E38DCAE51FE97A3924228AD37CF823999FD3BC6BA44CA6535DE8FE
                                                                                                                                                                                          SHA-512:C571E5125C005EAC0F0B72B5F132AE03783AF8D621BFA32B366B0E8A825EF8F65E33CD330E42BDC722BFA012E3447A7218F05FDD4A5AD855C1CA22DFA2F79838
                                                                                                                                                                                          Malicious:false
                                                                                                                                                                                          Preview:SQLite format 3......@ ..........................................................................O}....................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

                                                                                                                                                                                          C:\Users\user\AppData\Local\Temp\heidi_DCXbajIrPwg\Ct9hyqWswfwmWeb Data

                                                                                                                                                                                          Download File
                                                                                                                                                                                          Process:C:\Users\user\Desktop\dendy.exe
                                                                                                                                                                                          File Type:SQLite 3.x database, last written using SQLite version 3035005, page size 2048, file counter 2, database pages 56, cookie 0x24, schema 4, UTF-8, version-valid-for 2
                                                                                                                                                                                          Category:dropped
                                                                                                                                                                                          Size (bytes):114688
                                                                                                                                                                                          Entropy (8bit):0.9746603542602881
                                                                                                                                                                                          Encrypted:false
                                                                                                                                                                                          SSDEEP:192:CwbUJ6IH9xhomnGCTjHbRjCLqtzKWJaW:CfJ6a9xpnQLqtzKWJn
                                                                                                                                                                                          MD5:780853CDDEAEE8DE70F28A4B255A600B
                                                                                                                                                                                          SHA1:AD7A5DA33F7AD12946153C497E990720B09005ED
                                                                                                                                                                                          SHA-256:1055FF62DE3DEA7645C732583242ADF4164BDCFB9DD37D9B35BBB9510D59B0A3
                                                                                                                                                                                          SHA-512:E422863112084BB8D11C682482E780CD63C2F20C8E3A93ED3B9EFD1B04D53EB5D3C8081851CA89B74D66F3D9AB48EB5F6C74550484F46E7C6E460A8250C9B1D8
                                                                                                                                                                                          Malicious:false
                                                                                                                                                                                          Preview:SQLite format 3......@ .......8...........$......................................................O}...........4........................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

                                                                                                                                                                                          C:\Users\user\AppData\Local\Temp\heidi_DCXbajIrPwg\D87fZN3R3jFeplaces.sqlite

                                                                                                                                                                                          Download File
                                                                                                                                                                                          Process:C:\Users\user\Desktop\dendy.exe
                                                                                                                                                                                          File Type:SQLite 3.x database, user version 75, last written using SQLite version 3042000, page size 32768, writer version 2, read version 2, file counter 2, database pages 46, cookie 0x26, schema 4, UTF-8, version-valid-for 2
                                                                                                                                                                                          Category:dropped
                                                                                                                                                                                          Size (bytes):5242880
                                                                                                                                                                                          Entropy (8bit):0.037963276276857943
                                                                                                                                                                                          Encrypted:false
                                                                                                                                                                                          SSDEEP:192:58rJQaXoMXp0VW9FxWZWdgokBQNba9D3DO/JxW/QHI:58r54w0VW3xWZWdOBQFal3dQ
                                                                                                                                                                                          MD5:C0FDF21AE11A6D1FA1201D502614B622
                                                                                                                                                                                          SHA1:11724034A1CC915B061316A96E79E9DA6A00ADE8
                                                                                                                                                                                          SHA-256:FD4EB46C81D27A9B3669C0D249DF5CE2B49E5F37B42F917CA38AB8831121ADAC
                                                                                                                                                                                          SHA-512:A6147C196B033725018C7F28C1E75E20C2113A0C6D8172F5EABCB8FF334EA6CE10B758FFD1D22D50B4DB5A0A21BCC15294AC44E94D973F7A3EB9F8558F31769B
                                                                                                                                                                                          Malicious:false
                                                                                                                                                                                          Preview:SQLite format 3......@ ...................&...................K..................................j.....-a>.~...|0{dz.z.z"y.y3x.xKw.v.u.uGt.t;sAs.q.p.q.p{o.ohn.nem.n,m9l.k.lPj.j.h.h.g.d.c.c6b.b.a.a>..................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

                                                                                                                                                                                          C:\Users\user\AppData\Local\Temp\heidi_DCXbajIrPwg\E3k9iNbkN2AxHistory

                                                                                                                                                                                          Download File
                                                                                                                                                                                          Process:C:\Users\user\Desktop\dendy.exe
                                                                                                                                                                                          File Type:SQLite 3.x database, last written using SQLite version 3035005, file counter 2, database pages 31, cookie 0x18, schema 4, UTF-8, version-valid-for 2
                                                                                                                                                                                          Category:dropped
                                                                                                                                                                                          Size (bytes):126976
                                                                                                                                                                                          Entropy (8bit):0.47147045728725767
                                                                                                                                                                                          Encrypted:false
                                                                                                                                                                                          SSDEEP:96:/WU+bDoYysX0uhnyTpvVjN9DLjGQLBE3u:/l+bDo3irhnyTpvVj3XBBE3u
                                                                                                                                                                                          MD5:A2D1F4CF66465F9F0CAC61C4A95C7EDE
                                                                                                                                                                                          SHA1:BA6A845E247B221AAEC96C4213E1FD3744B10A27
                                                                                                                                                                                          SHA-256:B510DF8D67E38DCAE51FE97A3924228AD37CF823999FD3BC6BA44CA6535DE8FE
                                                                                                                                                                                          SHA-512:C571E5125C005EAC0F0B72B5F132AE03783AF8D621BFA32B366B0E8A825EF8F65E33CD330E42BDC722BFA012E3447A7218F05FDD4A5AD855C1CA22DFA2F79838
                                                                                                                                                                                          Malicious:false
                                                                                                                                                                                          Preview:SQLite format 3......@ ..........................................................................O}....................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

                                                                                                                                                                                          C:\Users\user\AppData\Local\Temp\heidi_DCXbajIrPwg\Jny1sItdcq9uWeb Data

                                                                                                                                                                                          Download File
                                                                                                                                                                                          Process:C:\Users\user\Desktop\dendy.exe
                                                                                                                                                                                          File Type:SQLite 3.x database, last written using SQLite version 3035005, page size 2048, file counter 2, database pages 56, cookie 0x24, schema 4, UTF-8, version-valid-for 2
                                                                                                                                                                                          Category:dropped
                                                                                                                                                                                          Size (bytes):114688
                                                                                                                                                                                          Entropy (8bit):0.9746603542602881
                                                                                                                                                                                          Encrypted:false
                                                                                                                                                                                          SSDEEP:192:CwbUJ6IH9xhomnGCTjHbRjCLqtzKWJaW:CfJ6a9xpnQLqtzKWJn
                                                                                                                                                                                          MD5:780853CDDEAEE8DE70F28A4B255A600B
                                                                                                                                                                                          SHA1:AD7A5DA33F7AD12946153C497E990720B09005ED
                                                                                                                                                                                          SHA-256:1055FF62DE3DEA7645C732583242ADF4164BDCFB9DD37D9B35BBB9510D59B0A3
                                                                                                                                                                                          SHA-512:E422863112084BB8D11C682482E780CD63C2F20C8E3A93ED3B9EFD1B04D53EB5D3C8081851CA89B74D66F3D9AB48EB5F6C74550484F46E7C6E460A8250C9B1D8
                                                                                                                                                                                          Malicious:false
                                                                                                                                                                                          Preview:SQLite format 3......@ .......8...........$......................................................O}...........4........................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

                                                                                                                                                                                          C:\Users\user\AppData\Local\Temp\heidi_DCXbajIrPwg\Qmh61QEwQYiXCookies

                                                                                                                                                                                          Download File
                                                                                                                                                                                          Process:C:\Users\user\Desktop\dendy.exe
                                                                                                                                                                                          File Type:SQLite 3.x database, last written using SQLite version 3042000, file counter 11, database pages 7, cookie 0x3, schema 4, UTF-8, version-valid-for 11
                                                                                                                                                                                          Category:dropped
                                                                                                                                                                                          Size (bytes):28672
                                                                                                                                                                                          Entropy (8bit):2.5793180405395284
                                                                                                                                                                                          Encrypted:false
                                                                                                                                                                                          SSDEEP:96:/xealJiylsMjLslk5nYPphZEhcR2hO2mOeVgN8tmKqWkh3qzRk4PeOhZ3hcR1hOI:/xGZR8wbtxq5uWRHKloIN7YItnb6Ggz
                                                                                                                                                                                          MD5:41EA9A4112F057AE6BA17E2838AEAC26
                                                                                                                                                                                          SHA1:F2B389103BFD1A1A050C4857A995B09FEAFE8903
                                                                                                                                                                                          SHA-256:CE84656EAEFC842355D668E7141F84383D3A0C819AE01B26A04F9021EF0AC9DB
                                                                                                                                                                                          SHA-512:29E848AD16D458F81D8C4F4E288094B4CFC103AD99B4511ED1A4846542F9128736A87AAC5F4BFFBEFE7DF99A05EB230911EDCE99FEE3877DEC130C2781962103
                                                                                                                                                                                          Malicious:false
                                                                                                                                                                                          Preview:SQLite format 3......@ ..........................................................................j..........g...$......................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

                                                                                                                                                                                          C:\Users\user\AppData\Local\Temp\heidi_DCXbajIrPwg\UilUp13UfaxJWeb Data

                                                                                                                                                                                          Download File
                                                                                                                                                                                          Process:C:\Users\user\Desktop\dendy.exe
                                                                                                                                                                                          File Type:SQLite 3.x database, last written using SQLite version 3042000, page size 2048, file counter 3, database pages 52, cookie 0x21, schema 4, UTF-8, version-valid-for 3
                                                                                                                                                                                          Category:dropped
                                                                                                                                                                                          Size (bytes):106496
                                                                                                                                                                                          Entropy (8bit):1.1358696453229276
                                                                                                                                                                                          Encrypted:false
                                                                                                                                                                                          SSDEEP:192:ZWTblyVZTnGtgTgabTanQeZVuSVumZa6c5/w4:MnlyfnGtxnfVuSVumEH544
                                                                                                                                                                                          MD5:28591AA4E12D1C4FC761BE7C0A468622
                                                                                                                                                                                          SHA1:BC4968A84C19377D05A8BB3F208FBFAC49F4820B
                                                                                                                                                                                          SHA-256:51624D124EFA3EE31EF43CB3D9ECFE98254D629957063747F4CA7061543B14B9
                                                                                                                                                                                          SHA-512:5DDC8C36538AB1415637B2FF6C35AED3A94639A0C2B0A36E256A1C4477AA5A356813D1368913BA3B6E8B770625CDCB94EE7BFC17FD7D324982CFE3BDEC2D32EB
                                                                                                                                                                                          Malicious:false
                                                                                                                                                                                          Preview:SQLite format 3......@ .......4...........!......................................................j............1........................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

                                                                                                                                                                                          C:\Users\user\AppData\Local\Temp\heidi_DCXbajIrPwg\cMZR3uGrcVjNLogin Data

                                                                                                                                                                                          Download File
                                                                                                                                                                                          Process:C:\Users\user\Desktop\dendy.exe
                                                                                                                                                                                          File Type:SQLite 3.x database, last written using SQLite version 3035005, page size 2048, file counter 1, database pages 24, cookie 0xe, schema 4, UTF-8, version-valid-for 1
                                                                                                                                                                                          Category:dropped
                                                                                                                                                                                          Size (bytes):49152
                                                                                                                                                                                          Entropy (8bit):0.8180424350137764
                                                                                                                                                                                          Encrypted:false
                                                                                                                                                                                          SSDEEP:96:uRMKLyeymwxCn8MZyFlSynlbiXyKwt8hG:uRkxGOXnlbibhG
                                                                                                                                                                                          MD5:349E6EB110E34A08924D92F6B334801D
                                                                                                                                                                                          SHA1:BDFB289DAFF51890CC71697B6322AA4B35EC9169
                                                                                                                                                                                          SHA-256:C9FD7BE4579E4AA942E8C2B44AB10115FA6C2FE6AFD0C584865413D9D53F3B2A
                                                                                                                                                                                          SHA-512:2A635B815A5E117EA181EE79305EE1BAF591459427ACC5210D8C6C7E447BE3513EAD871C605EB3D32E4AB4111B2A335F26520D0EF8C1245A4AF44E1FAEC44574
                                                                                                                                                                                          Malicious:false
                                                                                                                                                                                          Preview:SQLite format 3......@ ..........................................................................O}....................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

                                                                                                                                                                                          C:\Users\user\AppData\Local\Temp\heidi_DCXbajIrPwg\fHH8Sj5XFtveWeb Data

                                                                                                                                                                                          Download File
                                                                                                                                                                                          Process:C:\Users\user\Desktop\dendy.exe
                                                                                                                                                                                          File Type:SQLite 3.x database, last written using SQLite version 3035005, page size 2048, file counter 2, database pages 56, cookie 0x24, schema 4, UTF-8, version-valid-for 2
                                                                                                                                                                                          Category:dropped
                                                                                                                                                                                          Size (bytes):114688
                                                                                                                                                                                          Entropy (8bit):0.9746603542602881
                                                                                                                                                                                          Encrypted:false
                                                                                                                                                                                          SSDEEP:192:CwbUJ6IH9xhomnGCTjHbRjCLqtzKWJaW:CfJ6a9xpnQLqtzKWJn
                                                                                                                                                                                          MD5:780853CDDEAEE8DE70F28A4B255A600B
                                                                                                                                                                                          SHA1:AD7A5DA33F7AD12946153C497E990720B09005ED
                                                                                                                                                                                          SHA-256:1055FF62DE3DEA7645C732583242ADF4164BDCFB9DD37D9B35BBB9510D59B0A3
                                                                                                                                                                                          SHA-512:E422863112084BB8D11C682482E780CD63C2F20C8E3A93ED3B9EFD1B04D53EB5D3C8081851CA89B74D66F3D9AB48EB5F6C74550484F46E7C6E460A8250C9B1D8
                                                                                                                                                                                          Malicious:false
                                                                                                                                                                                          Preview:SQLite format 3......@ .......8...........$......................................................O}...........4........................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

                                                                                                                                                                                          C:\Users\user\AppData\Local\Temp\heidi_DCXbajIrPwg\hn0rI1Di9iTsHistory

                                                                                                                                                                                          Download File
                                                                                                                                                                                          Process:C:\Users\user\Desktop\dendy.exe
                                                                                                                                                                                          File Type:SQLite 3.x database, last written using SQLite version 3042000, file counter 4, database pages 39, cookie 0x20, schema 4, UTF-8, version-valid-for 4
                                                                                                                                                                                          Category:dropped
                                                                                                                                                                                          Size (bytes):159744
                                                                                                                                                                                          Entropy (8bit):0.7873599747470391
                                                                                                                                                                                          Encrypted:false
                                                                                                                                                                                          SSDEEP:96:pn6pld6px0c2EDKFm5wTmN8ewmdaDKFmJ4ee7vuejzH+bF+UIYysX0IxQzh/tsVL:8Ys3QMmRtH+bF+UI3iN0RSV0k3qLyj9v
                                                                                                                                                                                          MD5:6A6BAD38068B0F6F2CADC6464C4FE8F0
                                                                                                                                                                                          SHA1:4E3B235898D8E900548613DDB6EA59CDA5EB4E68
                                                                                                                                                                                          SHA-256:0998615B274171FC74AAB4E70FD355AF513186B74A4EB07AAA883782E6497982
                                                                                                                                                                                          SHA-512:BFE41E5AB5851C92308A097FE9DA4F215875AC2C7D7A483B066585071EE6086B5A7BE6D80CEC18027A3B88AA5C0A477730B22A41406A6AB344FCD9C659B9CB0A
                                                                                                                                                                                          Malicious:false
                                                                                                                                                                                          Preview:SQLite format 3......@ .......'........... ......................................................j.....................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

                                                                                                                                                                                          C:\Users\user\AppData\Local\Temp\heidi_DCXbajIrPwg\jivh3ZMPe0AVWeb Data

                                                                                                                                                                                          Download File
                                                                                                                                                                                          Process:C:\Users\user\Desktop\dendy.exe
                                                                                                                                                                                          File Type:SQLite 3.x database, last written using SQLite version 3042000, page size 2048, file counter 3, database pages 52, cookie 0x21, schema 4, UTF-8, version-valid-for 3
                                                                                                                                                                                          Category:dropped
                                                                                                                                                                                          Size (bytes):106496
                                                                                                                                                                                          Entropy (8bit):1.1358696453229276
                                                                                                                                                                                          Encrypted:false
                                                                                                                                                                                          SSDEEP:192:ZWTblyVZTnGtgTgabTanQeZVuSVumZa6c5/w4:MnlyfnGtxnfVuSVumEH544
                                                                                                                                                                                          MD5:28591AA4E12D1C4FC761BE7C0A468622
                                                                                                                                                                                          SHA1:BC4968A84C19377D05A8BB3F208FBFAC49F4820B
                                                                                                                                                                                          SHA-256:51624D124EFA3EE31EF43CB3D9ECFE98254D629957063747F4CA7061543B14B9
                                                                                                                                                                                          SHA-512:5DDC8C36538AB1415637B2FF6C35AED3A94639A0C2B0A36E256A1C4477AA5A356813D1368913BA3B6E8B770625CDCB94EE7BFC17FD7D324982CFE3BDEC2D32EB
                                                                                                                                                                                          Malicious:false
                                                                                                                                                                                          Preview:SQLite format 3......@ .......4...........!......................................................j............1........................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

                                                                                                                                                                                          C:\Users\user\AppData\Local\Temp\heidi_DCXbajIrPwg\nF96X0gSy0TrLogin Data

                                                                                                                                                                                          Download File
                                                                                                                                                                                          Process:C:\Users\user\Desktop\dendy.exe
                                                                                                                                                                                          File Type:SQLite 3.x database, last written using SQLite version 3042000, page size 2048, file counter 1, database pages 20, cookie 0xb, schema 4, UTF-8, version-valid-for 1
                                                                                                                                                                                          Category:dropped
                                                                                                                                                                                          Size (bytes):40960
                                                                                                                                                                                          Entropy (8bit):0.8553638852307782
                                                                                                                                                                                          Encrypted:false
                                                                                                                                                                                          SSDEEP:48:2x7BA+IIF7CVEq8Ma0D0HOlf/6ykwp1EUwMHZq10bvJKLkw8s8LKvUf9KVyJ7h/f:QNDCn8MouB6wz8iZqmvJKLPeymwil
                                                                                                                                                                                          MD5:28222628A3465C5F0D4B28F70F97F482
                                                                                                                                                                                          SHA1:1BAA3DEB7DFD7C9B4CA9FDB540F236C24917DD14
                                                                                                                                                                                          SHA-256:93A6AF6939B17143531FA4474DFC564FA55359308B910E6F0DCA774D322C9BE4
                                                                                                                                                                                          SHA-512:C8FB93F658C1A654186FA6AA2039E40791E6B0A1260B223272BB01279A7B574E238B28217DADF3E1850C7083ADFA2FE5DA0CCE6F9BCABD59E1FFD1061B3A88F7
                                                                                                                                                                                          Malicious:false
                                                                                                                                                                                          Preview:SQLite format 3......@ ..........................................................................j.....................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

                                                                                                                                                                                          C:\Users\user\AppData\Local\Temp\heidi_DCXbajIrPwg\q4newEXeW0gGLogin Data For Account

                                                                                                                                                                                          Download File
                                                                                                                                                                                          Process:C:\Users\user\Desktop\dendy.exe
                                                                                                                                                                                          File Type:SQLite 3.x database, last written using SQLite version 3042000, page size 2048, file counter 1, database pages 20, cookie 0xb, schema 4, UTF-8, version-valid-for 1
                                                                                                                                                                                          Category:dropped
                                                                                                                                                                                          Size (bytes):40960
                                                                                                                                                                                          Entropy (8bit):0.8553638852307782
                                                                                                                                                                                          Encrypted:false
                                                                                                                                                                                          SSDEEP:48:2x7BA+IIF7CVEq8Ma0D0HOlf/6ykwp1EUwMHZq10bvJKLkw8s8LKvUf9KVyJ7h/f:QNDCn8MouB6wz8iZqmvJKLPeymwil
                                                                                                                                                                                          MD5:28222628A3465C5F0D4B28F70F97F482
                                                                                                                                                                                          SHA1:1BAA3DEB7DFD7C9B4CA9FDB540F236C24917DD14
                                                                                                                                                                                          SHA-256:93A6AF6939B17143531FA4474DFC564FA55359308B910E6F0DCA774D322C9BE4
                                                                                                                                                                                          SHA-512:C8FB93F658C1A654186FA6AA2039E40791E6B0A1260B223272BB01279A7B574E238B28217DADF3E1850C7083ADFA2FE5DA0CCE6F9BCABD59E1FFD1061B3A88F7
                                                                                                                                                                                          Malicious:false
                                                                                                                                                                                          Preview:SQLite format 3......@ ..........................................................................j.....................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

                                                                                                                                                                                          C:\Users\user\AppData\Local\Temp\heidi_DCXbajIrPwg\wUqBSbUei7PhWeb Data

                                                                                                                                                                                          Download File
                                                                                                                                                                                          Process:C:\Users\user\Desktop\dendy.exe
                                                                                                                                                                                          File Type:SQLite 3.x database, last written using SQLite version 3042000, page size 2048, file counter 3, database pages 52, cookie 0x21, schema 4, UTF-8, version-valid-for 3
                                                                                                                                                                                          Category:dropped
                                                                                                                                                                                          Size (bytes):106496
                                                                                                                                                                                          Entropy (8bit):1.1358696453229276
                                                                                                                                                                                          Encrypted:false
                                                                                                                                                                                          SSDEEP:192:ZWTblyVZTnGtgTgabTanQeZVuSVumZa6c5/w4:MnlyfnGtxnfVuSVumEH544
                                                                                                                                                                                          MD5:28591AA4E12D1C4FC761BE7C0A468622
                                                                                                                                                                                          SHA1:BC4968A84C19377D05A8BB3F208FBFAC49F4820B
                                                                                                                                                                                          SHA-256:51624D124EFA3EE31EF43CB3D9ECFE98254D629957063747F4CA7061543B14B9
                                                                                                                                                                                          SHA-512:5DDC8C36538AB1415637B2FF6C35AED3A94639A0C2B0A36E256A1C4477AA5A356813D1368913BA3B6E8B770625CDCB94EE7BFC17FD7D324982CFE3BDEC2D32EB
                                                                                                                                                                                          Malicious:false
                                                                                                                                                                                          Preview:SQLite format 3......@ .......4...........!......................................................j............1........................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

                                                                                                                                                                                          C:\Users\user\AppData\Local\Temp\rage131MP.tmp

                                                                                                                                                                                          Download File
                                                                                                                                                                                          Process:C:\Users\user\Desktop\dendy.exe
                                                                                                                                                                                          File Type:ASCII text, with no line terminators
                                                                                                                                                                                          Category:dropped
                                                                                                                                                                                          Size (bytes):13
                                                                                                                                                                                          Entropy (8bit):2.873140679513133
                                                                                                                                                                                          Encrypted:false
                                                                                                                                                                                          SSDEEP:3:L4j:Uj
                                                                                                                                                                                          MD5:4BB20CDD572B0F010D78159C6C529EE5
                                                                                                                                                                                          SHA1:0312B66A8AE6906B9FFE7A7C804A9768775143B3
                                                                                                                                                                                          SHA-256:9F19163BE044F9F285699D7F81328E54AD47D8E60BA1077C70E46C954A70A6C1
                                                                                                                                                                                          SHA-512:5460FBC00650E527561F7B09179174218652336E9A94F7E0A1DFFDFD4598F6756567B2B8F68B2579F84EF0A19BD71144624A57569956CA2352BDA12641272DF2
                                                                                                                                                                                          Malicious:false
                                                                                                                                                                                          Preview:1713430120825

                                                                                                                                                                                          C:\Windows\appcompat\Programs\Amcache.hve

                                                                                                                                                                                          Download File
                                                                                                                                                                                          Process:C:\Windows\SysWOW64\WerFault.exe
                                                                                                                                                                                          File Type:MS Windows registry file, NT/2000 or above
                                                                                                                                                                                          Category:dropped
                                                                                                                                                                                          Size (bytes):1835008
                                                                                                                                                                                          Entropy (8bit):4.468164197413436
                                                                                                                                                                                          Encrypted:false
                                                                                                                                                                                          SSDEEP:6144:BIXfpi67eLPU9skLmb0b4hWSPKaJG8nAgejZMMhA2gX4WABl0uNcdwBCswSbe:CXD94hWlLZMM6YFHO+e
                                                                                                                                                                                          MD5:5468F83FEB6EC2530FF0832F5D5CBFA1
                                                                                                                                                                                          SHA1:EA9EDDFED10F339E050A6E684C3F1A06CAFAE2B3
                                                                                                                                                                                          SHA-256:EEFD97F771688FC576E0F3E83B224D20279A062DAB11BDBB67F8E98E1E12E7AA
                                                                                                                                                                                          SHA-512:91DCB48F964EBCC2112F190B3014DECF8AF2D34AA90AF93281D8FAB764914795B01727BAEF108A8A9A5C9C006648234B378EF4D0076FDFFEC3B3F9B1A281E5FA
                                                                                                                                                                                          Malicious:false
                                                                                                                                                                                          Preview:regf=...=....\.Z.................... ...........\.A.p.p.C.o.m.p.a.t.\.P.r.o.g.r.a.m.s.\.A.m.c.a.c.h.e...h.v.e....c...b...#.......c...b...#...........c...b...#......rmtmB...c..........................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

                                                                                                                                                                                          Static File Info

                                                                                                                                                                                          General

                                                                                                                                                                                          File type:PE32 executable (GUI) Intel 80386, for MS Windows
                                                                                                                                                                                          Entropy (8bit):7.543718231589517
                                                                                                                                                                                          TrID:
                                                                                                                                                                                          • Win32 Executable (generic) a (10002005/4) 99.53%
                                                                                                                                                                                          • InstallShield setup (43055/19) 0.43%
                                                                                                                                                                                          • Generic Win/DOS Executable (2004/3) 0.02%
                                                                                                                                                                                          • DOS Executable Generic (2002/1) 0.02%
                                                                                                                                                                                          • Autodesk FLIC Image File (extensions: flc, fli, cel) (7/3) 0.00%
                                                                                                                                                                                          File name:dendy.exe
                                                                                                                                                                                          File size:909'312 bytes
                                                                                                                                                                                          MD5:446f080cd1ed262b4dd0c1ff2143297e
                                                                                                                                                                                          SHA1:b958c52622a02d7ed530f6d41a7e7c24a27f7918
                                                                                                                                                                                          SHA256:a211901dea69eab959b9e47a6276ba7f363b6857687c410adcaf56135586b7ea
                                                                                                                                                                                          SHA512:b176604cb47c789b42db3119df7480b5b25c126682cc6ad769d963b1cab228da0db277c1b007365962da89d62657ee01cd5c153fec00d2fb1afe312b9d6488de
                                                                                                                                                                                          SSDEEP:12288:nrpWNztODIkpIKLFkXLWR4ICfCjDmEtx9YGk5gtB2f1pnYbn+Bnd+WDbLEa:1ZIkqKz4/fa6SId229Gb+z+2LEa
                                                                                                                                                                                          TLSH:D01512213A90E173F94E4473BA1AC6743E7AF8A597685527770C2E7F2B302E1562433B
                                                                                                                                                                                          File Content Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$........:.D.[...[...[....+..[....=..[....:..[.......[...[...[....4..[....*..[..../..[..Rich.[..........................PE..L...$..d...

                                                                                                                                                                                          File Icon

                                                                                                                                                                                          Icon Hash:13295d4d29170f17

                                                                                                                                                                                          Static PE Info

                                                                                                                                                                                          General

                                                                                                                                                                                          Entrypoint:0x401941
                                                                                                                                                                                          Entrypoint Section:.text
                                                                                                                                                                                          Digitally signed:false
                                                                                                                                                                                          Imagebase:0x400000
                                                                                                                                                                                          Subsystem:windows gui
                                                                                                                                                                                          Image File Characteristics:RELOCS_STRIPPED, EXECUTABLE_IMAGE, 32BIT_MACHINE
                                                                                                                                                                                          DLL Characteristics:TERMINAL_SERVER_AWARE
                                                                                                                                                                                          Time Stamp:0x6419D024 [Tue Mar 21 15:41:24 2023 UTC]
                                                                                                                                                                                          TLS Callbacks:
                                                                                                                                                                                          CLR (.Net) Version:
                                                                                                                                                                                          OS Version Major:5
                                                                                                                                                                                          OS Version Minor:0
                                                                                                                                                                                          File Version Major:5
                                                                                                                                                                                          File Version Minor:0
                                                                                                                                                                                          Subsystem Version Major:5
                                                                                                                                                                                          Subsystem Version Minor:0
                                                                                                                                                                                          Import Hash:14ef0fc1d4be9b1c7ae01c60ea12a8bd

                                                                                                                                                                                          Entrypoint Preview

                                                                                                                                                                                          Instruction
                                                                                                                                                                                          call 00007F9B0983F245h
                                                                                                                                                                                          jmp 00007F9B0983A9CEh
                                                                                                                                                                                          int3
                                                                                                                                                                                          int3
                                                                                                                                                                                          int3
                                                                                                                                                                                          int3
                                                                                                                                                                                          int3
                                                                                                                                                                                          mov ecx, dword ptr [esp+04h]
                                                                                                                                                                                          test ecx, 00000003h
                                                                                                                                                                                          je 00007F9B0983AB76h
                                                                                                                                                                                          mov al, byte ptr [ecx]
                                                                                                                                                                                          add ecx, 01h
                                                                                                                                                                                          test al, al
                                                                                                                                                                                          je 00007F9B0983ABA0h
                                                                                                                                                                                          test ecx, 00000003h
                                                                                                                                                                                          jne 00007F9B0983AB41h
                                                                                                                                                                                          add eax, 00000000h
                                                                                                                                                                                          lea esp, dword ptr [esp+00000000h]
                                                                                                                                                                                          lea esp, dword ptr [esp+00000000h]
                                                                                                                                                                                          mov eax, dword ptr [ecx]
                                                                                                                                                                                          mov edx, 7EFEFEFFh
                                                                                                                                                                                          add edx, eax
                                                                                                                                                                                          xor eax, FFFFFFFFh
                                                                                                                                                                                          xor eax, edx
                                                                                                                                                                                          add ecx, 04h
                                                                                                                                                                                          test eax, 81010100h
                                                                                                                                                                                          je 00007F9B0983AB3Ah
                                                                                                                                                                                          mov eax, dword ptr [ecx-04h]
                                                                                                                                                                                          test al, al
                                                                                                                                                                                          je 00007F9B0983AB84h
                                                                                                                                                                                          test ah, ah
                                                                                                                                                                                          je 00007F9B0983AB76h
                                                                                                                                                                                          test eax, 00FF0000h
                                                                                                                                                                                          je 00007F9B0983AB65h
                                                                                                                                                                                          test eax, FF000000h
                                                                                                                                                                                          je 00007F9B0983AB54h
                                                                                                                                                                                          jmp 00007F9B0983AB1Fh
                                                                                                                                                                                          lea eax, dword ptr [ecx-01h]
                                                                                                                                                                                          mov ecx, dword ptr [esp+04h]
                                                                                                                                                                                          sub eax, ecx
                                                                                                                                                                                          ret
                                                                                                                                                                                          lea eax, dword ptr [ecx-02h]
                                                                                                                                                                                          mov ecx, dword ptr [esp+04h]
                                                                                                                                                                                          sub eax, ecx
                                                                                                                                                                                          ret
                                                                                                                                                                                          lea eax, dword ptr [ecx-03h]
                                                                                                                                                                                          mov ecx, dword ptr [esp+04h]
                                                                                                                                                                                          sub eax, ecx
                                                                                                                                                                                          ret
                                                                                                                                                                                          lea eax, dword ptr [ecx-04h]
                                                                                                                                                                                          mov ecx, dword ptr [esp+04h]
                                                                                                                                                                                          sub eax, ecx
                                                                                                                                                                                          ret
                                                                                                                                                                                          mov edi, edi
                                                                                                                                                                                          push ebp
                                                                                                                                                                                          mov ebp, esp
                                                                                                                                                                                          sub esp, 20h
                                                                                                                                                                                          mov eax, dword ptr [ebp+08h]
                                                                                                                                                                                          push esi
                                                                                                                                                                                          push edi
                                                                                                                                                                                          push 00000008h
                                                                                                                                                                                          pop ecx
                                                                                                                                                                                          mov esi, 0040F22Ch
                                                                                                                                                                                          lea edi, dword ptr [ebp-20h]
                                                                                                                                                                                          rep movsd
                                                                                                                                                                                          mov dword ptr [ebp-08h], eax
                                                                                                                                                                                          mov eax, dword ptr [ebp+0Ch]
                                                                                                                                                                                          pop edi
                                                                                                                                                                                          mov dword ptr [ebp-04h], eax
                                                                                                                                                                                          pop esi
                                                                                                                                                                                          test eax, eax
                                                                                                                                                                                          je 00007F9B0983AB5Eh
                                                                                                                                                                                          test byte ptr [eax], 00000008h
                                                                                                                                                                                          je 00007F9B0983AB59h

                                                                                                                                                                                          Rich Headers

                                                                                                                                                                                          Programming Language:
                                                                                                                                                                                          • [ASM] VS2008 build 21022
                                                                                                                                                                                          • [ C ] VS2008 build 21022
                                                                                                                                                                                          • [C++] VS2008 build 21022
                                                                                                                                                                                          • [IMP] VS2005 build 50727
                                                                                                                                                                                          • [RES] VS2008 build 21022
                                                                                                                                                                                          • [LNK] VS2008 build 21022

                                                                                                                                                                                          Data Directories

                                                                                                                                                                                          NameVirtual AddressVirtual Size Is in Section
                                                                                                                                                                                          IMAGE_DIRECTORY_ENTRY_EXPORT0x00x0
                                                                                                                                                                                          IMAGE_DIRECTORY_ENTRY_IMPORT0xcde7c0x28.rdata
                                                                                                                                                                                          IMAGE_DIRECTORY_ENTRY_RESOURCE0x28b20000xdfa8.rsrc
                                                                                                                                                                                          IMAGE_DIRECTORY_ENTRY_EXCEPTION0x00x0
                                                                                                                                                                                          IMAGE_DIRECTORY_ENTRY_SECURITY0x00x0
                                                                                                                                                                                          IMAGE_DIRECTORY_ENTRY_BASERELOC0x00x0
                                                                                                                                                                                          IMAGE_DIRECTORY_ENTRY_DEBUG0x00x0
                                                                                                                                                                                          IMAGE_DIRECTORY_ENTRY_COPYRIGHT0x00x0
                                                                                                                                                                                          IMAGE_DIRECTORY_ENTRY_GLOBALPTR0x00x0
                                                                                                                                                                                          IMAGE_DIRECTORY_ENTRY_TLS0xcd7480x18.rdata
                                                                                                                                                                                          IMAGE_DIRECTORY_ENTRY_LOAD_CONFIG0xcd7000x40.rdata
                                                                                                                                                                                          IMAGE_DIRECTORY_ENTRY_BOUND_IMPORT0x00x0
                                                                                                                                                                                          IMAGE_DIRECTORY_ENTRY_IAT0xf0000x188.rdata
                                                                                                                                                                                          IMAGE_DIRECTORY_ENTRY_DELAY_IMPORT0x00x0
                                                                                                                                                                                          IMAGE_DIRECTORY_ENTRY_COM_DESCRIPTOR0x00x0
                                                                                                                                                                                          IMAGE_DIRECTORY_ENTRY_RESERVED0x00x0

                                                                                                                                                                                          Sections

                                                                                                                                                                                          NameVirtual AddressVirtual SizeRaw SizeMD5Xored PEZLIB ComplexityFile TypeEntropyCharacteristics
                                                                                                                                                                                          .text0x10000xd67d0xd800bc14a58614d469bd1c271ba019301f23False0.6057038483796297data6.664734708351165IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ
                                                                                                                                                                                          .rdata0xf0000xbf7500xbf8007a1c74f788504b9ea4a0ff81ae73e0abFalse0.9010242432278068data7.6657726486145386IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ
                                                                                                                                                                                          .data0xcf0000x27e16f40x22003c4b3de1a8674a7b889999d1f72d427funknownunknownunknownunknownIMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE
                                                                                                                                                                                          .tls0x28b10000x9cd0xa00b85f229e4962d23b2bc27d3fefa72e8eFalse0.010546875data0.004986070829181356IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE
                                                                                                                                                                                          .rsrc0x28b20000xdfa80xe000cceac1bfd4049c2fe473c534974561bfFalse0.5247453962053571data5.416254851646741IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ

                                                                                                                                                                                          Resources

                                                                                                                                                                                          NameRVASizeTypeLanguageCountryZLIB Complexity
                                                                                                                                                                                          RT_ICON0x28b24c00xea8Device independent bitmap graphic, 48 x 96 x 8, image size 0TurkishTurkey0.42510660980810233
                                                                                                                                                                                          RT_ICON0x28b33680x8a8Device independent bitmap graphic, 32 x 64 x 8, image size 0TurkishTurkey0.5496389891696751
                                                                                                                                                                                          RT_ICON0x28b3c100x6c8Device independent bitmap graphic, 24 x 48 x 8, image size 0TurkishTurkey0.619815668202765
                                                                                                                                                                                          RT_ICON0x28b42d80x568Device independent bitmap graphic, 16 x 32 x 8, image size 0TurkishTurkey0.6950867052023122
                                                                                                                                                                                          RT_ICON0x28b48400x25a8Device independent bitmap graphic, 48 x 96 x 32, image size 0TurkishTurkey0.5345435684647303
                                                                                                                                                                                          RT_ICON0x28b6de80x10a8Device independent bitmap graphic, 32 x 64 x 32, image size 0TurkishTurkey0.5562851782363978
                                                                                                                                                                                          RT_ICON0x28b7e900x988Device independent bitmap graphic, 24 x 48 x 32, image size 0TurkishTurkey0.634016393442623
                                                                                                                                                                                          RT_ICON0x28b88180x468Device independent bitmap graphic, 16 x 32 x 32, image size 0TurkishTurkey0.6631205673758865
                                                                                                                                                                                          RT_ICON0x28b8cf80xea8Device independent bitmap graphic, 48 x 96 x 8, image size 0TurkishTurkey0.3816631130063966
                                                                                                                                                                                          RT_ICON0x28b9ba00x8a8Device independent bitmap graphic, 32 x 64 x 8, image size 0TurkishTurkey0.5166967509025271
                                                                                                                                                                                          RT_ICON0x28ba4480x6c8Device independent bitmap graphic, 24 x 48 x 8, image size 0TurkishTurkey0.5817972350230415
                                                                                                                                                                                          RT_ICON0x28bab100x568Device independent bitmap graphic, 16 x 32 x 8, image size 0TurkishTurkey0.6322254335260116
                                                                                                                                                                                          RT_ICON0x28bb0780x25a8Device independent bitmap graphic, 48 x 96 x 32, image size 0TurkishTurkey0.5081950207468879
                                                                                                                                                                                          RT_ICON0x28bd6200x10a8Device independent bitmap graphic, 32 x 64 x 32, image size 0TurkishTurkey0.5030487804878049
                                                                                                                                                                                          RT_ICON0x28be6c80x988Device independent bitmap graphic, 24 x 48 x 32, image size 0TurkishTurkey0.5032786885245901
                                                                                                                                                                                          RT_ICON0x28bf0500x468Device independent bitmap graphic, 16 x 32 x 32, image size 0TurkishTurkey0.5212765957446809
                                                                                                                                                                                          RT_STRING0x28bf7100x76data0.652542372881356
                                                                                                                                                                                          RT_STRING0x28bf7880x64cdata0.43300248138957814
                                                                                                                                                                                          RT_STRING0x28bfdd80x84data0.6287878787878788
                                                                                                                                                                                          RT_STRING0x28bfe600x142data0.531055900621118
                                                                                                                                                                                          RT_GROUP_ICON0x28b8c800x76dataTurkishTurkey0.6610169491525424
                                                                                                                                                                                          RT_GROUP_ICON0x28bf4b80x76dataTurkishTurkey0.6694915254237288
                                                                                                                                                                                          RT_VERSION0x28bf5300x1e0data0.56875

                                                                                                                                                                                          Imports

                                                                                                                                                                                          DLLImport
                                                                                                                                                                                          KERNEL32.dllGetDateFormatW, GetConsoleAliasesLengthW, EnumCalendarInfoW, SetDefaultCommConfigW, SetFirmwareEnvironmentVariableA, GetComputerNameW, UnlockFile, GetModuleHandleW, CreateNamedPipeW, GetProcessHeap, FindNextVolumeMountPointA, EnumTimeFormatsW, SetCommState, GlobalAlloc, LoadLibraryW, GetLocaleInfoW, IsBadWritePtr, GetAtomNameW, SetConsoleTitleA, GetCurrentDirectoryW, GetLongPathNameW, GetProcAddress, BuildCommDCBW, LoadLibraryA, SetConsoleDisplayMode, SetCurrentDirectoryW, GetModuleFileNameA, FreeEnvironmentStringsW, BuildCommDCBA, VirtualProtect, SetCalendarInfoA, FindAtomW, FileTimeToLocalFileTime, HeapAlloc, Sleep, ExitProcess, GetStartupInfoW, RaiseException, RtlUnwind, TerminateProcess, GetCurrentProcess, UnhandledExceptionFilter, SetUnhandledExceptionFilter, IsDebuggerPresent, GetLastError, HeapFree, DeleteCriticalSection, LeaveCriticalSection, EnterCriticalSection, VirtualFree, VirtualAlloc, HeapReAlloc, HeapCreate, WriteFile, GetStdHandle, TlsGetValue, TlsAlloc, TlsSetValue, TlsFree, InterlockedIncrement, SetLastError, GetCurrentThreadId, InterlockedDecrement, InitializeCriticalSectionAndSpinCount, GetModuleFileNameW, GetEnvironmentStringsW, GetCommandLineW, SetHandleCount, GetFileType, GetStartupInfoA, QueryPerformanceCounter, GetTickCount, GetCurrentProcessId, GetSystemTimeAsFileTime, SetFilePointer, WideCharToMultiByte, GetConsoleCP, GetConsoleMode, GetCPInfo, GetACP, GetOEMCP, IsValidCodePage, HeapSize, GetLocaleInfoA, SetStdHandle, WriteConsoleA, GetConsoleOutputCP, WriteConsoleW, MultiByteToWideChar, LCMapStringA, LCMapStringW, GetStringTypeA, GetStringTypeW, CreateFileA, CloseHandle, FlushFileBuffers, GetModuleHandleA

                                                                                                                                                                                          Possible Origin

                                                                                                                                                                                          Language of compilation systemCountry where language is spokenMap
                                                                                                                                                                                          TurkishTurkey

                                                                                                                                                                                          Network Behavior

                                                                                                                                                                                          Snort IDS Alerts

                                                                                                                                                                                          TimestampProtocolSIDMessageSource PortDest PortSource IPDest IP
                                                                                                                                                                                          04/18/24-09:41:54.899031TCP2046269ET TROJAN [ANY.RUN] RisePro TCP (Activity)4973158709192.168.2.4147.45.47.93
                                                                                                                                                                                          04/18/24-09:41:16.817956TCP2046267ET TROJAN [ANY.RUN] RisePro TCP (External IP)5870949730147.45.47.93192.168.2.4
                                                                                                                                                                                          04/18/24-09:41:09.663282TCP2046266ET TROJAN [ANY.RUN] RisePro TCP (Token)5870949730147.45.47.93192.168.2.4
                                                                                                                                                                                          04/18/24-09:41:53.335082TCP2046269ET TROJAN [ANY.RUN] RisePro TCP (Activity)4973058709192.168.2.4147.45.47.93
                                                                                                                                                                                          04/18/24-09:42:13.250995TCP2046269ET TROJAN [ANY.RUN] RisePro TCP (Activity)4974658709192.168.2.4147.45.47.93
                                                                                                                                                                                          04/18/24-09:41:09.471690TCP2049060ET TROJAN RisePro TCP Heartbeat Packet4973058709192.168.2.4147.45.47.93
                                                                                                                                                                                          04/18/24-09:42:02.523877TCP2046269ET TROJAN [ANY.RUN] RisePro TCP (Activity)4973958709192.168.2.4147.45.47.93
                                                                                                                                                                                          04/18/24-09:41:13.824615TCP2046266ET TROJAN [ANY.RUN] RisePro TCP (Token)5870949732147.45.47.93192.168.2.4
                                                                                                                                                                                          04/18/24-09:41:13.499765TCP2046266ET TROJAN [ANY.RUN] RisePro TCP (Token)5870949731147.45.47.93192.168.2.4
                                                                                                                                                                                          04/18/24-09:41:43.723664TCP2046267ET TROJAN [ANY.RUN] RisePro TCP (External IP)5870949739147.45.47.93192.168.2.4
                                                                                                                                                                                          04/18/24-09:41:19.788174TCP2046267ET TROJAN [ANY.RUN] RisePro TCP (External IP)5870949731147.45.47.93192.168.2.4
                                                                                                                                                                                          04/18/24-09:41:19.803148TCP2046267ET TROJAN [ANY.RUN] RisePro TCP (External IP)5870949732147.45.47.93192.168.2.4
                                                                                                                                                                                          04/18/24-09:41:29.078780TCP2046266ET TROJAN [ANY.RUN] RisePro TCP (Token)5870949739147.45.47.93192.168.2.4
                                                                                                                                                                                          04/18/24-09:41:54.901092TCP2046269ET TROJAN [ANY.RUN] RisePro TCP (Activity)4973258709192.168.2.4147.45.47.93
                                                                                                                                                                                          04/18/24-09:41:36.448653TCP2046266ET TROJAN [ANY.RUN] RisePro TCP (Token)5870949746147.45.47.93192.168.2.4
                                                                                                                                                                                          04/18/24-09:41:43.865022TCP2046267ET TROJAN [ANY.RUN] RisePro TCP (External IP)5870949746147.45.47.93192.168.2.4

                                                                                                                                                                                          Network Port Distribution

                                                                                                                                                                                          TCP Packets

                                                                                                                                                                                          TimestampSource PortDest PortSource IPDest IP
                                                                                                                                                                                          Apr 18, 2024 09:41:09.219270945 CEST4973058709192.168.2.4147.45.47.93
                                                                                                                                                                                          Apr 18, 2024 09:41:09.441447973 CEST5870949730147.45.47.93192.168.2.4
                                                                                                                                                                                          Apr 18, 2024 09:41:09.441555023 CEST4973058709192.168.2.4147.45.47.93
                                                                                                                                                                                          Apr 18, 2024 09:41:09.471689939 CEST4973058709192.168.2.4147.45.47.93
                                                                                                                                                                                          Apr 18, 2024 09:41:09.663281918 CEST5870949730147.45.47.93192.168.2.4
                                                                                                                                                                                          Apr 18, 2024 09:41:09.705679893 CEST4973058709192.168.2.4147.45.47.93
                                                                                                                                                                                          Apr 18, 2024 09:41:09.743331909 CEST5870949730147.45.47.93192.168.2.4
                                                                                                                                                                                          Apr 18, 2024 09:41:12.783957005 CEST4973058709192.168.2.4147.45.47.93
                                                                                                                                                                                          Apr 18, 2024 09:41:13.056051016 CEST5870949730147.45.47.93192.168.2.4
                                                                                                                                                                                          Apr 18, 2024 09:41:13.062457085 CEST4973158709192.168.2.4147.45.47.93
                                                                                                                                                                                          Apr 18, 2024 09:41:13.281060934 CEST5870949731147.45.47.93192.168.2.4
                                                                                                                                                                                          Apr 18, 2024 09:41:13.281147003 CEST4973158709192.168.2.4147.45.47.93
                                                                                                                                                                                          Apr 18, 2024 09:41:13.294459105 CEST4973158709192.168.2.4147.45.47.93
                                                                                                                                                                                          Apr 18, 2024 09:41:13.387106895 CEST4973258709192.168.2.4147.45.47.93
                                                                                                                                                                                          Apr 18, 2024 09:41:13.499764919 CEST5870949731147.45.47.93192.168.2.4
                                                                                                                                                                                          Apr 18, 2024 09:41:13.549362898 CEST4973158709192.168.2.4147.45.47.93
                                                                                                                                                                                          Apr 18, 2024 09:41:13.556041002 CEST5870949731147.45.47.93192.168.2.4
                                                                                                                                                                                          Apr 18, 2024 09:41:13.605653048 CEST5870949732147.45.47.93192.168.2.4
                                                                                                                                                                                          Apr 18, 2024 09:41:13.605736971 CEST4973258709192.168.2.4147.45.47.93
                                                                                                                                                                                          Apr 18, 2024 09:41:13.619801044 CEST4973258709192.168.2.4147.45.47.93
                                                                                                                                                                                          Apr 18, 2024 09:41:13.824615002 CEST5870949732147.45.47.93192.168.2.4
                                                                                                                                                                                          Apr 18, 2024 09:41:13.877501965 CEST4973258709192.168.2.4147.45.47.93
                                                                                                                                                                                          Apr 18, 2024 09:41:13.883897066 CEST5870949732147.45.47.93192.168.2.4
                                                                                                                                                                                          Apr 18, 2024 09:41:16.612332106 CEST4973158709192.168.2.4147.45.47.93
                                                                                                                                                                                          Apr 18, 2024 09:41:16.817955971 CEST5870949730147.45.47.93192.168.2.4
                                                                                                                                                                                          Apr 18, 2024 09:41:16.861932993 CEST4973058709192.168.2.4147.45.47.93
                                                                                                                                                                                          Apr 18, 2024 09:41:16.883999109 CEST5870949731147.45.47.93192.168.2.4
                                                                                                                                                                                          Apr 18, 2024 09:41:16.971369028 CEST4973258709192.168.2.4147.45.47.93
                                                                                                                                                                                          Apr 18, 2024 09:41:17.243277073 CEST5870949732147.45.47.93192.168.2.4
                                                                                                                                                                                          Apr 18, 2024 09:41:19.699807882 CEST5870949730147.45.47.93192.168.2.4
                                                                                                                                                                                          Apr 18, 2024 09:41:19.752485991 CEST4973058709192.168.2.4147.45.47.93
                                                                                                                                                                                          Apr 18, 2024 09:41:19.788173914 CEST5870949731147.45.47.93192.168.2.4
                                                                                                                                                                                          Apr 18, 2024 09:41:19.803148031 CEST5870949732147.45.47.93192.168.2.4
                                                                                                                                                                                          Apr 18, 2024 09:41:19.830720901 CEST4973158709192.168.2.4147.45.47.93
                                                                                                                                                                                          Apr 18, 2024 09:41:19.846282959 CEST4973258709192.168.2.4147.45.47.93
                                                                                                                                                                                          Apr 18, 2024 09:41:23.657541037 CEST49733443192.168.2.434.117.186.192
                                                                                                                                                                                          Apr 18, 2024 09:41:23.657639027 CEST4434973334.117.186.192192.168.2.4
                                                                                                                                                                                          Apr 18, 2024 09:41:23.657711029 CEST49733443192.168.2.434.117.186.192
                                                                                                                                                                                          Apr 18, 2024 09:41:23.669825077 CEST49733443192.168.2.434.117.186.192
                                                                                                                                                                                          Apr 18, 2024 09:41:23.669868946 CEST4434973334.117.186.192192.168.2.4
                                                                                                                                                                                          Apr 18, 2024 09:41:23.896933079 CEST4434973334.117.186.192192.168.2.4
                                                                                                                                                                                          Apr 18, 2024 09:41:23.897006035 CEST49733443192.168.2.434.117.186.192
                                                                                                                                                                                          Apr 18, 2024 09:41:23.903300047 CEST49733443192.168.2.434.117.186.192
                                                                                                                                                                                          Apr 18, 2024 09:41:23.903310061 CEST4434973334.117.186.192192.168.2.4
                                                                                                                                                                                          Apr 18, 2024 09:41:23.903590918 CEST4434973334.117.186.192192.168.2.4
                                                                                                                                                                                          Apr 18, 2024 09:41:23.949531078 CEST49733443192.168.2.434.117.186.192
                                                                                                                                                                                          Apr 18, 2024 09:41:25.839278936 CEST49733443192.168.2.434.117.186.192
                                                                                                                                                                                          Apr 18, 2024 09:41:25.884109974 CEST4434973334.117.186.192192.168.2.4
                                                                                                                                                                                          Apr 18, 2024 09:41:25.970999956 CEST4434973334.117.186.192192.168.2.4
                                                                                                                                                                                          Apr 18, 2024 09:41:25.971323967 CEST4434973334.117.186.192192.168.2.4
                                                                                                                                                                                          Apr 18, 2024 09:41:25.971384048 CEST49733443192.168.2.434.117.186.192
                                                                                                                                                                                          Apr 18, 2024 09:41:25.974021912 CEST49733443192.168.2.434.117.186.192
                                                                                                                                                                                          Apr 18, 2024 09:41:25.974021912 CEST49733443192.168.2.434.117.186.192
                                                                                                                                                                                          Apr 18, 2024 09:41:25.974044085 CEST4434973334.117.186.192192.168.2.4
                                                                                                                                                                                          Apr 18, 2024 09:41:25.974056959 CEST4434973334.117.186.192192.168.2.4
                                                                                                                                                                                          Apr 18, 2024 09:41:26.089104891 CEST49735443192.168.2.4104.26.5.15
                                                                                                                                                                                          Apr 18, 2024 09:41:26.089149952 CEST44349735104.26.5.15192.168.2.4
                                                                                                                                                                                          Apr 18, 2024 09:41:26.089258909 CEST49735443192.168.2.4104.26.5.15
                                                                                                                                                                                          Apr 18, 2024 09:41:26.089586973 CEST49735443192.168.2.4104.26.5.15
                                                                                                                                                                                          Apr 18, 2024 09:41:26.089602947 CEST44349735104.26.5.15192.168.2.4
                                                                                                                                                                                          Apr 18, 2024 09:41:26.313915968 CEST44349735104.26.5.15192.168.2.4
                                                                                                                                                                                          Apr 18, 2024 09:41:26.314049006 CEST49735443192.168.2.4104.26.5.15
                                                                                                                                                                                          Apr 18, 2024 09:41:28.088051081 CEST49735443192.168.2.4104.26.5.15
                                                                                                                                                                                          Apr 18, 2024 09:41:28.088073969 CEST44349735104.26.5.15192.168.2.4
                                                                                                                                                                                          Apr 18, 2024 09:41:28.089159966 CEST44349735104.26.5.15192.168.2.4
                                                                                                                                                                                          Apr 18, 2024 09:41:28.090668917 CEST49735443192.168.2.4104.26.5.15
                                                                                                                                                                                          Apr 18, 2024 09:41:28.132167101 CEST44349735104.26.5.15192.168.2.4
                                                                                                                                                                                          Apr 18, 2024 09:41:28.318603039 CEST44349735104.26.5.15192.168.2.4
                                                                                                                                                                                          Apr 18, 2024 09:41:28.318852901 CEST44349735104.26.5.15192.168.2.4
                                                                                                                                                                                          Apr 18, 2024 09:41:28.319000959 CEST49735443192.168.2.4104.26.5.15
                                                                                                                                                                                          Apr 18, 2024 09:41:28.319000959 CEST49735443192.168.2.4104.26.5.15
                                                                                                                                                                                          Apr 18, 2024 09:41:28.319067955 CEST49735443192.168.2.4104.26.5.15
                                                                                                                                                                                          Apr 18, 2024 09:41:28.319087982 CEST44349735104.26.5.15192.168.2.4
                                                                                                                                                                                          Apr 18, 2024 09:41:28.319422007 CEST4973058709192.168.2.4147.45.47.93
                                                                                                                                                                                          Apr 18, 2024 09:41:28.588191986 CEST5870949730147.45.47.93192.168.2.4
                                                                                                                                                                                          Apr 18, 2024 09:41:28.639808893 CEST4973958709192.168.2.4147.45.47.93
                                                                                                                                                                                          Apr 18, 2024 09:41:28.648267984 CEST49740443192.168.2.434.117.186.192
                                                                                                                                                                                          Apr 18, 2024 09:41:28.648308039 CEST4434974034.117.186.192192.168.2.4
                                                                                                                                                                                          Apr 18, 2024 09:41:28.648477077 CEST49740443192.168.2.434.117.186.192
                                                                                                                                                                                          Apr 18, 2024 09:41:28.649821043 CEST49740443192.168.2.434.117.186.192
                                                                                                                                                                                          Apr 18, 2024 09:41:28.649842978 CEST4434974034.117.186.192192.168.2.4
                                                                                                                                                                                          Apr 18, 2024 09:41:28.707552910 CEST49741443192.168.2.434.117.186.192
                                                                                                                                                                                          Apr 18, 2024 09:41:28.707626104 CEST4434974134.117.186.192192.168.2.4
                                                                                                                                                                                          Apr 18, 2024 09:41:28.707700968 CEST49741443192.168.2.434.117.186.192
                                                                                                                                                                                          Apr 18, 2024 09:41:28.709254026 CEST49741443192.168.2.434.117.186.192
                                                                                                                                                                                          Apr 18, 2024 09:41:28.709287882 CEST4434974134.117.186.192192.168.2.4
                                                                                                                                                                                          Apr 18, 2024 09:41:28.859363079 CEST5870949739147.45.47.93192.168.2.4
                                                                                                                                                                                          Apr 18, 2024 09:41:28.859443903 CEST4973958709192.168.2.4147.45.47.93
                                                                                                                                                                                          Apr 18, 2024 09:41:28.871474981 CEST4973958709192.168.2.4147.45.47.93
                                                                                                                                                                                          Apr 18, 2024 09:41:28.873739958 CEST4434974034.117.186.192192.168.2.4
                                                                                                                                                                                          Apr 18, 2024 09:41:28.873837948 CEST49740443192.168.2.434.117.186.192
                                                                                                                                                                                          Apr 18, 2024 09:41:28.875327110 CEST49740443192.168.2.434.117.186.192
                                                                                                                                                                                          Apr 18, 2024 09:41:28.875349045 CEST4434974034.117.186.192192.168.2.4
                                                                                                                                                                                          Apr 18, 2024 09:41:28.876151085 CEST4434974034.117.186.192192.168.2.4
                                                                                                                                                                                          Apr 18, 2024 09:41:28.931355953 CEST4434974134.117.186.192192.168.2.4
                                                                                                                                                                                          Apr 18, 2024 09:41:28.935452938 CEST49741443192.168.2.434.117.186.192
                                                                                                                                                                                          Apr 18, 2024 09:41:28.937553883 CEST49741443192.168.2.434.117.186.192
                                                                                                                                                                                          Apr 18, 2024 09:41:28.937577009 CEST4434974134.117.186.192192.168.2.4
                                                                                                                                                                                          Apr 18, 2024 09:41:28.937939882 CEST4434974134.117.186.192192.168.2.4
                                                                                                                                                                                          Apr 18, 2024 09:41:29.010763884 CEST49740443192.168.2.434.117.186.192
                                                                                                                                                                                          Apr 18, 2024 09:41:29.049350023 CEST49741443192.168.2.434.117.186.192
                                                                                                                                                                                          Apr 18, 2024 09:41:29.078779936 CEST5870949739147.45.47.93192.168.2.4
                                                                                                                                                                                          Apr 18, 2024 09:41:29.134038925 CEST5870949739147.45.47.93192.168.2.4
                                                                                                                                                                                          Apr 18, 2024 09:41:29.236896038 CEST4973958709192.168.2.4147.45.47.93
                                                                                                                                                                                          Apr 18, 2024 09:41:29.637052059 CEST49741443192.168.2.434.117.186.192
                                                                                                                                                                                          Apr 18, 2024 09:41:29.654097080 CEST49740443192.168.2.434.117.186.192
                                                                                                                                                                                          Apr 18, 2024 09:41:29.680128098 CEST4434974134.117.186.192192.168.2.4
                                                                                                                                                                                          Apr 18, 2024 09:41:29.700119019 CEST4434974034.117.186.192192.168.2.4
                                                                                                                                                                                          Apr 18, 2024 09:41:29.767935038 CEST4434974134.117.186.192192.168.2.4
                                                                                                                                                                                          Apr 18, 2024 09:41:29.768115997 CEST4434974134.117.186.192192.168.2.4
                                                                                                                                                                                          Apr 18, 2024 09:41:29.768208027 CEST49741443192.168.2.434.117.186.192
                                                                                                                                                                                          Apr 18, 2024 09:41:29.768718004 CEST49741443192.168.2.434.117.186.192
                                                                                                                                                                                          Apr 18, 2024 09:41:29.768753052 CEST4434974134.117.186.192192.168.2.4
                                                                                                                                                                                          Apr 18, 2024 09:41:29.768771887 CEST49741443192.168.2.434.117.186.192
                                                                                                                                                                                          Apr 18, 2024 09:41:29.768781900 CEST4434974134.117.186.192192.168.2.4
                                                                                                                                                                                          Apr 18, 2024 09:41:29.770530939 CEST49743443192.168.2.4104.26.5.15
                                                                                                                                                                                          Apr 18, 2024 09:41:29.770586014 CEST44349743104.26.5.15192.168.2.4
                                                                                                                                                                                          Apr 18, 2024 09:41:29.770735025 CEST49743443192.168.2.4104.26.5.15
                                                                                                                                                                                          Apr 18, 2024 09:41:29.771043062 CEST49743443192.168.2.4104.26.5.15
                                                                                                                                                                                          Apr 18, 2024 09:41:29.771054983 CEST44349743104.26.5.15192.168.2.4
                                                                                                                                                                                          Apr 18, 2024 09:41:29.789027929 CEST4434974034.117.186.192192.168.2.4
                                                                                                                                                                                          Apr 18, 2024 09:41:29.789145947 CEST4434974034.117.186.192192.168.2.4
                                                                                                                                                                                          Apr 18, 2024 09:41:29.789271116 CEST49740443192.168.2.434.117.186.192
                                                                                                                                                                                          Apr 18, 2024 09:41:29.789748907 CEST49740443192.168.2.434.117.186.192
                                                                                                                                                                                          Apr 18, 2024 09:41:29.789748907 CEST49740443192.168.2.434.117.186.192
                                                                                                                                                                                          Apr 18, 2024 09:41:29.789769888 CEST4434974034.117.186.192192.168.2.4
                                                                                                                                                                                          Apr 18, 2024 09:41:29.789782047 CEST4434974034.117.186.192192.168.2.4
                                                                                                                                                                                          Apr 18, 2024 09:41:29.791405916 CEST49744443192.168.2.4104.26.5.15
                                                                                                                                                                                          Apr 18, 2024 09:41:29.791439056 CEST44349744104.26.5.15192.168.2.4
                                                                                                                                                                                          Apr 18, 2024 09:41:29.791662931 CEST49744443192.168.2.4104.26.5.15
                                                                                                                                                                                          Apr 18, 2024 09:41:29.791968107 CEST49744443192.168.2.4104.26.5.15
                                                                                                                                                                                          Apr 18, 2024 09:41:29.791979074 CEST44349744104.26.5.15192.168.2.4
                                                                                                                                                                                          Apr 18, 2024 09:41:29.990669012 CEST44349743104.26.5.15192.168.2.4
                                                                                                                                                                                          Apr 18, 2024 09:41:29.990787029 CEST49743443192.168.2.4104.26.5.15
                                                                                                                                                                                          Apr 18, 2024 09:41:29.992178917 CEST49743443192.168.2.4104.26.5.15
                                                                                                                                                                                          Apr 18, 2024 09:41:29.992192984 CEST44349743104.26.5.15192.168.2.4
                                                                                                                                                                                          Apr 18, 2024 09:41:29.992531061 CEST44349743104.26.5.15192.168.2.4
                                                                                                                                                                                          Apr 18, 2024 09:41:29.993812084 CEST49743443192.168.2.4104.26.5.15
                                                                                                                                                                                          Apr 18, 2024 09:41:30.008079052 CEST44349744104.26.5.15192.168.2.4
                                                                                                                                                                                          Apr 18, 2024 09:41:30.008171082 CEST49744443192.168.2.4104.26.5.15
                                                                                                                                                                                          Apr 18, 2024 09:41:30.040122986 CEST44349743104.26.5.15192.168.2.4
                                                                                                                                                                                          Apr 18, 2024 09:41:30.172213078 CEST49744443192.168.2.4104.26.5.15
                                                                                                                                                                                          Apr 18, 2024 09:41:30.172236919 CEST44349744104.26.5.15192.168.2.4
                                                                                                                                                                                          Apr 18, 2024 09:41:30.172749043 CEST44349744104.26.5.15192.168.2.4
                                                                                                                                                                                          Apr 18, 2024 09:41:30.174452066 CEST49744443192.168.2.4104.26.5.15
                                                                                                                                                                                          Apr 18, 2024 09:41:30.216133118 CEST44349744104.26.5.15192.168.2.4
                                                                                                                                                                                          Apr 18, 2024 09:41:30.360583067 CEST44349743104.26.5.15192.168.2.4
                                                                                                                                                                                          Apr 18, 2024 09:41:30.360701084 CEST44349743104.26.5.15192.168.2.4
                                                                                                                                                                                          Apr 18, 2024 09:41:30.360816956 CEST49743443192.168.2.4104.26.5.15
                                                                                                                                                                                          Apr 18, 2024 09:41:30.360999107 CEST49743443192.168.2.4104.26.5.15
                                                                                                                                                                                          Apr 18, 2024 09:41:30.361015081 CEST44349743104.26.5.15192.168.2.4
                                                                                                                                                                                          Apr 18, 2024 09:41:30.361026049 CEST49743443192.168.2.4104.26.5.15
                                                                                                                                                                                          Apr 18, 2024 09:41:30.361030102 CEST44349743104.26.5.15192.168.2.4
                                                                                                                                                                                          Apr 18, 2024 09:41:30.361476898 CEST4973158709192.168.2.4147.45.47.93
                                                                                                                                                                                          Apr 18, 2024 09:41:30.378572941 CEST44349744104.26.5.15192.168.2.4
                                                                                                                                                                                          Apr 18, 2024 09:41:30.378655910 CEST44349744104.26.5.15192.168.2.4
                                                                                                                                                                                          Apr 18, 2024 09:41:30.378789902 CEST49744443192.168.2.4104.26.5.15
                                                                                                                                                                                          Apr 18, 2024 09:41:30.379048109 CEST49744443192.168.2.4104.26.5.15
                                                                                                                                                                                          Apr 18, 2024 09:41:30.379059076 CEST44349744104.26.5.15192.168.2.4
                                                                                                                                                                                          Apr 18, 2024 09:41:30.379067898 CEST49744443192.168.2.4104.26.5.15
                                                                                                                                                                                          Apr 18, 2024 09:41:30.379071951 CEST44349744104.26.5.15192.168.2.4
                                                                                                                                                                                          Apr 18, 2024 09:41:30.379535913 CEST4973258709192.168.2.4147.45.47.93
                                                                                                                                                                                          Apr 18, 2024 09:41:30.633953094 CEST5870949731147.45.47.93192.168.2.4
                                                                                                                                                                                          Apr 18, 2024 09:41:30.649519920 CEST5870949732147.45.47.93192.168.2.4
                                                                                                                                                                                          Apr 18, 2024 09:41:32.208614111 CEST4973958709192.168.2.4147.45.47.93
                                                                                                                                                                                          Apr 18, 2024 09:41:32.477639914 CEST5870949739147.45.47.93192.168.2.4
                                                                                                                                                                                          Apr 18, 2024 09:41:36.004522085 CEST4974658709192.168.2.4147.45.47.93
                                                                                                                                                                                          Apr 18, 2024 09:41:36.226365089 CEST5870949746147.45.47.93192.168.2.4
                                                                                                                                                                                          Apr 18, 2024 09:41:36.226718903 CEST4974658709192.168.2.4147.45.47.93
                                                                                                                                                                                          Apr 18, 2024 09:41:36.238707066 CEST4974658709192.168.2.4147.45.47.93
                                                                                                                                                                                          Apr 18, 2024 09:41:36.448652983 CEST5870949746147.45.47.93192.168.2.4
                                                                                                                                                                                          Apr 18, 2024 09:41:36.501100063 CEST4974658709192.168.2.4147.45.47.93
                                                                                                                                                                                          Apr 18, 2024 09:41:36.509046078 CEST5870949746147.45.47.93192.168.2.4
                                                                                                                                                                                          Apr 18, 2024 09:41:38.557358980 CEST5870949730147.45.47.93192.168.2.4
                                                                                                                                                                                          Apr 18, 2024 09:41:38.611874104 CEST4973058709192.168.2.4147.45.47.93
                                                                                                                                                                                          Apr 18, 2024 09:41:38.612376928 CEST4973058709192.168.2.4147.45.47.93
                                                                                                                                                                                          Apr 18, 2024 09:41:38.635209084 CEST5870949731147.45.47.93192.168.2.4
                                                                                                                                                                                          Apr 18, 2024 09:41:38.650902987 CEST5870949732147.45.47.93192.168.2.4
                                                                                                                                                                                          Apr 18, 2024 09:41:38.690071106 CEST4973158709192.168.2.4147.45.47.93
                                                                                                                                                                                          Apr 18, 2024 09:41:38.705734015 CEST4973258709192.168.2.4147.45.47.93
                                                                                                                                                                                          Apr 18, 2024 09:41:38.884219885 CEST5870949730147.45.47.93192.168.2.4
                                                                                                                                                                                          Apr 18, 2024 09:41:39.565082073 CEST4974658709192.168.2.4147.45.47.93
                                                                                                                                                                                          Apr 18, 2024 09:41:39.837105989 CEST5870949746147.45.47.93192.168.2.4
                                                                                                                                                                                          Apr 18, 2024 09:41:43.138089895 CEST5870949730147.45.47.93192.168.2.4
                                                                                                                                                                                          Apr 18, 2024 09:41:43.190202951 CEST4973058709192.168.2.4147.45.47.93
                                                                                                                                                                                          Apr 18, 2024 09:41:43.206057072 CEST4973058709192.168.2.4147.45.47.93
                                                                                                                                                                                          Apr 18, 2024 09:41:43.259923935 CEST5870949731147.45.47.93192.168.2.4
                                                                                                                                                                                          Apr 18, 2024 09:41:43.293567896 CEST5870949732147.45.47.93192.168.2.4
                                                                                                                                                                                          Apr 18, 2024 09:41:43.315018892 CEST4973158709192.168.2.4147.45.47.93
                                                                                                                                                                                          Apr 18, 2024 09:41:43.315664053 CEST4973258709192.168.2.4147.45.47.93
                                                                                                                                                                                          Apr 18, 2024 09:41:43.315824986 CEST4973158709192.168.2.4147.45.47.93
                                                                                                                                                                                          Apr 18, 2024 09:41:43.477447987 CEST5870949730147.45.47.93192.168.2.4
                                                                                                                                                                                          Apr 18, 2024 09:41:43.586802006 CEST5870949732147.45.47.93192.168.2.4
                                                                                                                                                                                          Apr 18, 2024 09:41:43.586853981 CEST5870949731147.45.47.93192.168.2.4
                                                                                                                                                                                          Apr 18, 2024 09:41:43.723664045 CEST5870949739147.45.47.93192.168.2.4
                                                                                                                                                                                          Apr 18, 2024 09:41:43.768116951 CEST4973958709192.168.2.4147.45.47.93
                                                                                                                                                                                          Apr 18, 2024 09:41:43.865021944 CEST5870949746147.45.47.93192.168.2.4
                                                                                                                                                                                          Apr 18, 2024 09:41:43.908718109 CEST4974658709192.168.2.4147.45.47.93
                                                                                                                                                                                          Apr 18, 2024 09:41:44.563388109 CEST5870949730147.45.47.93192.168.2.4
                                                                                                                                                                                          Apr 18, 2024 09:41:44.563452959 CEST5870949730147.45.47.93192.168.2.4
                                                                                                                                                                                          Apr 18, 2024 09:41:44.563507080 CEST5870949730147.45.47.93192.168.2.4
                                                                                                                                                                                          Apr 18, 2024 09:41:44.563546896 CEST5870949730147.45.47.93192.168.2.4
                                                                                                                                                                                          Apr 18, 2024 09:41:44.563545942 CEST4973058709192.168.2.4147.45.47.93
                                                                                                                                                                                          Apr 18, 2024 09:41:44.563587904 CEST5870949730147.45.47.93192.168.2.4
                                                                                                                                                                                          Apr 18, 2024 09:41:44.563628912 CEST5870949730147.45.47.93192.168.2.4
                                                                                                                                                                                          Apr 18, 2024 09:41:44.563633919 CEST4973058709192.168.2.4147.45.47.93
                                                                                                                                                                                          Apr 18, 2024 09:41:44.563656092 CEST4973058709192.168.2.4147.45.47.93
                                                                                                                                                                                          Apr 18, 2024 09:41:44.563668013 CEST5870949730147.45.47.93192.168.2.4
                                                                                                                                                                                          Apr 18, 2024 09:41:44.563676119 CEST4973058709192.168.2.4147.45.47.93
                                                                                                                                                                                          Apr 18, 2024 09:41:44.563709021 CEST5870949730147.45.47.93192.168.2.4
                                                                                                                                                                                          Apr 18, 2024 09:41:44.563747883 CEST5870949730147.45.47.93192.168.2.4
                                                                                                                                                                                          Apr 18, 2024 09:41:44.563760042 CEST4973058709192.168.2.4147.45.47.93
                                                                                                                                                                                          Apr 18, 2024 09:41:44.563790083 CEST5870949730147.45.47.93192.168.2.4
                                                                                                                                                                                          Apr 18, 2024 09:41:44.563842058 CEST4973058709192.168.2.4147.45.47.93
                                                                                                                                                                                          Apr 18, 2024 09:41:44.606719017 CEST5870949731147.45.47.93192.168.2.4
                                                                                                                                                                                          Apr 18, 2024 09:41:44.622981071 CEST5870949732147.45.47.93192.168.2.4
                                                                                                                                                                                          Apr 18, 2024 09:41:44.627785921 CEST4973258709192.168.2.4147.45.47.93
                                                                                                                                                                                          Apr 18, 2024 09:41:44.627829075 CEST4973158709192.168.2.4147.45.47.93
                                                                                                                                                                                          Apr 18, 2024 09:41:44.785384893 CEST5870949730147.45.47.93192.168.2.4
                                                                                                                                                                                          Apr 18, 2024 09:41:44.785475016 CEST5870949730147.45.47.93192.168.2.4
                                                                                                                                                                                          Apr 18, 2024 09:41:44.785497904 CEST5870949730147.45.47.93192.168.2.4
                                                                                                                                                                                          Apr 18, 2024 09:41:44.785518885 CEST5870949730147.45.47.93192.168.2.4
                                                                                                                                                                                          Apr 18, 2024 09:41:44.785542011 CEST5870949730147.45.47.93192.168.2.4
                                                                                                                                                                                          Apr 18, 2024 09:41:44.785665035 CEST4973058709192.168.2.4147.45.47.93
                                                                                                                                                                                          Apr 18, 2024 09:41:44.846328974 CEST4973058709192.168.2.4147.45.47.93
                                                                                                                                                                                          Apr 18, 2024 09:41:44.899624109 CEST5870949732147.45.47.93192.168.2.4
                                                                                                                                                                                          Apr 18, 2024 09:41:44.899662971 CEST5870949731147.45.47.93192.168.2.4
                                                                                                                                                                                          Apr 18, 2024 09:41:45.118186951 CEST5870949730147.45.47.93192.168.2.4
                                                                                                                                                                                          Apr 18, 2024 09:41:45.463689089 CEST5870949739147.45.47.93192.168.2.4
                                                                                                                                                                                          Apr 18, 2024 09:41:45.518073082 CEST4973958709192.168.2.4147.45.47.93
                                                                                                                                                                                          Apr 18, 2024 09:41:45.588203907 CEST5870949746147.45.47.93192.168.2.4
                                                                                                                                                                                          Apr 18, 2024 09:41:45.643073082 CEST4974658709192.168.2.4147.45.47.93
                                                                                                                                                                                          Apr 18, 2024 09:41:45.981496096 CEST49747443192.168.2.434.117.186.192
                                                                                                                                                                                          Apr 18, 2024 09:41:45.981538057 CEST4434974734.117.186.192192.168.2.4
                                                                                                                                                                                          Apr 18, 2024 09:41:45.981594086 CEST49747443192.168.2.434.117.186.192
                                                                                                                                                                                          Apr 18, 2024 09:41:45.982846022 CEST49747443192.168.2.434.117.186.192
                                                                                                                                                                                          Apr 18, 2024 09:41:45.982862949 CEST4434974734.117.186.192192.168.2.4
                                                                                                                                                                                          Apr 18, 2024 09:41:46.106142044 CEST49748443192.168.2.434.117.186.192
                                                                                                                                                                                          Apr 18, 2024 09:41:46.106208086 CEST4434974834.117.186.192192.168.2.4
                                                                                                                                                                                          Apr 18, 2024 09:41:46.106374025 CEST49748443192.168.2.434.117.186.192
                                                                                                                                                                                          Apr 18, 2024 09:41:46.107140064 CEST49748443192.168.2.434.117.186.192
                                                                                                                                                                                          Apr 18, 2024 09:41:46.107176065 CEST4434974834.117.186.192192.168.2.4
                                                                                                                                                                                          Apr 18, 2024 09:41:46.201374054 CEST4434974734.117.186.192192.168.2.4
                                                                                                                                                                                          Apr 18, 2024 09:41:46.201456070 CEST49747443192.168.2.434.117.186.192
                                                                                                                                                                                          Apr 18, 2024 09:41:46.205080986 CEST49747443192.168.2.434.117.186.192
                                                                                                                                                                                          Apr 18, 2024 09:41:46.205090046 CEST4434974734.117.186.192192.168.2.4
                                                                                                                                                                                          Apr 18, 2024 09:41:46.205303907 CEST4434974734.117.186.192192.168.2.4
                                                                                                                                                                                          Apr 18, 2024 09:41:46.252598047 CEST49747443192.168.2.434.117.186.192
                                                                                                                                                                                          Apr 18, 2024 09:41:46.328186989 CEST4434974834.117.186.192192.168.2.4
                                                                                                                                                                                          Apr 18, 2024 09:41:46.328361034 CEST49748443192.168.2.434.117.186.192
                                                                                                                                                                                          Apr 18, 2024 09:41:46.329637051 CEST49748443192.168.2.434.117.186.192
                                                                                                                                                                                          Apr 18, 2024 09:41:46.329660892 CEST4434974834.117.186.192192.168.2.4
                                                                                                                                                                                          Apr 18, 2024 09:41:46.330034018 CEST4434974834.117.186.192192.168.2.4
                                                                                                                                                                                          Apr 18, 2024 09:41:46.377471924 CEST49748443192.168.2.434.117.186.192
                                                                                                                                                                                          Apr 18, 2024 09:41:46.607012033 CEST5870949730147.45.47.93192.168.2.4
                                                                                                                                                                                          Apr 18, 2024 09:41:46.624418020 CEST5870949731147.45.47.93192.168.2.4
                                                                                                                                                                                          Apr 18, 2024 09:41:46.624473095 CEST5870949731147.45.47.93192.168.2.4
                                                                                                                                                                                          Apr 18, 2024 09:41:46.624511003 CEST5870949731147.45.47.93192.168.2.4
                                                                                                                                                                                          Apr 18, 2024 09:41:46.624531031 CEST4973158709192.168.2.4147.45.47.93
                                                                                                                                                                                          Apr 18, 2024 09:41:46.624550104 CEST5870949731147.45.47.93192.168.2.4
                                                                                                                                                                                          Apr 18, 2024 09:41:46.624588013 CEST5870949731147.45.47.93192.168.2.4
                                                                                                                                                                                          Apr 18, 2024 09:41:46.624625921 CEST5870949731147.45.47.93192.168.2.4
                                                                                                                                                                                          Apr 18, 2024 09:41:46.624628067 CEST4973158709192.168.2.4147.45.47.93
                                                                                                                                                                                          Apr 18, 2024 09:41:46.624666929 CEST5870949731147.45.47.93192.168.2.4
                                                                                                                                                                                          Apr 18, 2024 09:41:46.624703884 CEST5870949731147.45.47.93192.168.2.4
                                                                                                                                                                                          Apr 18, 2024 09:41:46.624715090 CEST4973158709192.168.2.4147.45.47.93
                                                                                                                                                                                          Apr 18, 2024 09:41:46.624742985 CEST5870949731147.45.47.93192.168.2.4
                                                                                                                                                                                          Apr 18, 2024 09:41:46.624748945 CEST4973158709192.168.2.4147.45.47.93
                                                                                                                                                                                          Apr 18, 2024 09:41:46.624783039 CEST5870949731147.45.47.93192.168.2.4
                                                                                                                                                                                          Apr 18, 2024 09:41:46.624850988 CEST4973158709192.168.2.4147.45.47.93
                                                                                                                                                                                          Apr 18, 2024 09:41:46.639810085 CEST5870949732147.45.47.93192.168.2.4
                                                                                                                                                                                          Apr 18, 2024 09:41:46.639848948 CEST5870949732147.45.47.93192.168.2.4
                                                                                                                                                                                          Apr 18, 2024 09:41:46.639884949 CEST5870949732147.45.47.93192.168.2.4
                                                                                                                                                                                          Apr 18, 2024 09:41:46.639921904 CEST5870949732147.45.47.93192.168.2.4
                                                                                                                                                                                          Apr 18, 2024 09:41:46.639919996 CEST4973258709192.168.2.4147.45.47.93
                                                                                                                                                                                          Apr 18, 2024 09:41:46.639960051 CEST5870949732147.45.47.93192.168.2.4
                                                                                                                                                                                          Apr 18, 2024 09:41:46.639971972 CEST4973258709192.168.2.4147.45.47.93
                                                                                                                                                                                          Apr 18, 2024 09:41:46.639998913 CEST5870949732147.45.47.93192.168.2.4
                                                                                                                                                                                          Apr 18, 2024 09:41:46.640034914 CEST5870949732147.45.47.93192.168.2.4
                                                                                                                                                                                          Apr 18, 2024 09:41:46.640072107 CEST5870949732147.45.47.93192.168.2.4
                                                                                                                                                                                          Apr 18, 2024 09:41:46.640085936 CEST4973258709192.168.2.4147.45.47.93
                                                                                                                                                                                          Apr 18, 2024 09:41:46.640125990 CEST4973258709192.168.2.4147.45.47.93
                                                                                                                                                                                          Apr 18, 2024 09:41:46.640141964 CEST5870949732147.45.47.93192.168.2.4
                                                                                                                                                                                          Apr 18, 2024 09:41:46.640178919 CEST5870949732147.45.47.93192.168.2.4
                                                                                                                                                                                          Apr 18, 2024 09:41:46.640369892 CEST4973258709192.168.2.4147.45.47.93
                                                                                                                                                                                          Apr 18, 2024 09:41:46.658714056 CEST4973058709192.168.2.4147.45.47.93
                                                                                                                                                                                          Apr 18, 2024 09:41:46.705955029 CEST4973058709192.168.2.4147.45.47.93
                                                                                                                                                                                          Apr 18, 2024 09:41:46.843544006 CEST5870949731147.45.47.93192.168.2.4
                                                                                                                                                                                          Apr 18, 2024 09:41:46.843609095 CEST5870949731147.45.47.93192.168.2.4
                                                                                                                                                                                          Apr 18, 2024 09:41:46.843647957 CEST5870949731147.45.47.93192.168.2.4
                                                                                                                                                                                          Apr 18, 2024 09:41:46.843691111 CEST5870949731147.45.47.93192.168.2.4
                                                                                                                                                                                          Apr 18, 2024 09:41:46.843704939 CEST4973158709192.168.2.4147.45.47.93
                                                                                                                                                                                          Apr 18, 2024 09:41:46.843733072 CEST5870949731147.45.47.93192.168.2.4
                                                                                                                                                                                          Apr 18, 2024 09:41:46.843736887 CEST4973158709192.168.2.4147.45.47.93
                                                                                                                                                                                          Apr 18, 2024 09:41:46.858755112 CEST5870949732147.45.47.93192.168.2.4
                                                                                                                                                                                          Apr 18, 2024 09:41:46.858854055 CEST5870949732147.45.47.93192.168.2.4
                                                                                                                                                                                          Apr 18, 2024 09:41:46.858892918 CEST5870949732147.45.47.93192.168.2.4
                                                                                                                                                                                          Apr 18, 2024 09:41:46.858932018 CEST5870949732147.45.47.93192.168.2.4
                                                                                                                                                                                          Apr 18, 2024 09:41:46.858935118 CEST4973258709192.168.2.4147.45.47.93
                                                                                                                                                                                          Apr 18, 2024 09:41:46.858968973 CEST5870949732147.45.47.93192.168.2.4
                                                                                                                                                                                          Apr 18, 2024 09:41:46.859014034 CEST4973258709192.168.2.4147.45.47.93
                                                                                                                                                                                          Apr 18, 2024 09:41:46.893064976 CEST4973158709192.168.2.4147.45.47.93
                                                                                                                                                                                          Apr 18, 2024 09:41:46.908698082 CEST4973258709192.168.2.4147.45.47.93
                                                                                                                                                                                          Apr 18, 2024 09:41:46.924572945 CEST4973258709192.168.2.4147.45.47.93
                                                                                                                                                                                          Apr 18, 2024 09:41:46.924747944 CEST4973158709192.168.2.4147.45.47.93
                                                                                                                                                                                          Apr 18, 2024 09:41:46.967482090 CEST49747443192.168.2.434.117.186.192
                                                                                                                                                                                          Apr 18, 2024 09:41:46.977634907 CEST5870949730147.45.47.93192.168.2.4
                                                                                                                                                                                          Apr 18, 2024 09:41:47.012159109 CEST4434974734.117.186.192192.168.2.4
                                                                                                                                                                                          Apr 18, 2024 09:41:47.075504065 CEST49748443192.168.2.434.117.186.192
                                                                                                                                                                                          Apr 18, 2024 09:41:47.102787018 CEST4434974734.117.186.192192.168.2.4
                                                                                                                                                                                          Apr 18, 2024 09:41:47.103120089 CEST4434974734.117.186.192192.168.2.4
                                                                                                                                                                                          Apr 18, 2024 09:41:47.103188038 CEST49747443192.168.2.434.117.186.192
                                                                                                                                                                                          Apr 18, 2024 09:41:47.103380919 CEST49747443192.168.2.434.117.186.192
                                                                                                                                                                                          Apr 18, 2024 09:41:47.103380919 CEST49747443192.168.2.434.117.186.192
                                                                                                                                                                                          Apr 18, 2024 09:41:47.103401899 CEST4434974734.117.186.192192.168.2.4
                                                                                                                                                                                          Apr 18, 2024 09:41:47.103413105 CEST4434974734.117.186.192192.168.2.4
                                                                                                                                                                                          Apr 18, 2024 09:41:47.105026007 CEST49749443192.168.2.4104.26.5.15
                                                                                                                                                                                          Apr 18, 2024 09:41:47.105084896 CEST44349749104.26.5.15192.168.2.4
                                                                                                                                                                                          Apr 18, 2024 09:41:47.105182886 CEST49749443192.168.2.4104.26.5.15
                                                                                                                                                                                          Apr 18, 2024 09:41:47.105487108 CEST49749443192.168.2.4104.26.5.15
                                                                                                                                                                                          Apr 18, 2024 09:41:47.105520010 CEST44349749104.26.5.15192.168.2.4
                                                                                                                                                                                          Apr 18, 2024 09:41:47.120121002 CEST4434974834.117.186.192192.168.2.4
                                                                                                                                                                                          Apr 18, 2024 09:41:47.198421001 CEST5870949732147.45.47.93192.168.2.4
                                                                                                                                                                                          Apr 18, 2024 09:41:47.198472977 CEST5870949731147.45.47.93192.168.2.4
                                                                                                                                                                                          Apr 18, 2024 09:41:47.211323023 CEST4434974834.117.186.192192.168.2.4
                                                                                                                                                                                          Apr 18, 2024 09:41:47.211714029 CEST4434974834.117.186.192192.168.2.4
                                                                                                                                                                                          Apr 18, 2024 09:41:47.211780071 CEST49748443192.168.2.434.117.186.192
                                                                                                                                                                                          Apr 18, 2024 09:41:47.211991072 CEST49748443192.168.2.434.117.186.192
                                                                                                                                                                                          Apr 18, 2024 09:41:47.211991072 CEST49748443192.168.2.434.117.186.192
                                                                                                                                                                                          Apr 18, 2024 09:41:47.212018967 CEST4434974834.117.186.192192.168.2.4
                                                                                                                                                                                          Apr 18, 2024 09:41:47.212043047 CEST4434974834.117.186.192192.168.2.4
                                                                                                                                                                                          Apr 18, 2024 09:41:47.213541985 CEST49750443192.168.2.4104.26.5.15
                                                                                                                                                                                          Apr 18, 2024 09:41:47.213577986 CEST44349750104.26.5.15192.168.2.4
                                                                                                                                                                                          Apr 18, 2024 09:41:47.213886023 CEST49750443192.168.2.4104.26.5.15
                                                                                                                                                                                          Apr 18, 2024 09:41:47.214171886 CEST49750443192.168.2.4104.26.5.15
                                                                                                                                                                                          Apr 18, 2024 09:41:47.214189053 CEST44349750104.26.5.15192.168.2.4
                                                                                                                                                                                          Apr 18, 2024 09:41:47.329799891 CEST44349749104.26.5.15192.168.2.4
                                                                                                                                                                                          Apr 18, 2024 09:41:47.329917908 CEST49749443192.168.2.4104.26.5.15
                                                                                                                                                                                          Apr 18, 2024 09:41:47.437901974 CEST44349750104.26.5.15192.168.2.4
                                                                                                                                                                                          Apr 18, 2024 09:41:47.437995911 CEST49750443192.168.2.4104.26.5.15
                                                                                                                                                                                          Apr 18, 2024 09:41:47.439320087 CEST49750443192.168.2.4104.26.5.15
                                                                                                                                                                                          Apr 18, 2024 09:41:47.439327002 CEST44349750104.26.5.15192.168.2.4
                                                                                                                                                                                          Apr 18, 2024 09:41:47.439806938 CEST44349750104.26.5.15192.168.2.4
                                                                                                                                                                                          Apr 18, 2024 09:41:47.441076040 CEST49750443192.168.2.4104.26.5.15
                                                                                                                                                                                          Apr 18, 2024 09:41:47.484160900 CEST44349750104.26.5.15192.168.2.4
                                                                                                                                                                                          Apr 18, 2024 09:41:47.541189909 CEST49749443192.168.2.4104.26.5.15
                                                                                                                                                                                          Apr 18, 2024 09:41:47.541266918 CEST44349749104.26.5.15192.168.2.4
                                                                                                                                                                                          Apr 18, 2024 09:41:47.542196989 CEST44349749104.26.5.15192.168.2.4
                                                                                                                                                                                          Apr 18, 2024 09:41:47.543637991 CEST49749443192.168.2.4104.26.5.15
                                                                                                                                                                                          Apr 18, 2024 09:41:47.555515051 CEST5870949739147.45.47.93192.168.2.4
                                                                                                                                                                                          Apr 18, 2024 09:41:47.555680037 CEST4973958709192.168.2.4147.45.47.93
                                                                                                                                                                                          Apr 18, 2024 09:41:47.584155083 CEST44349749104.26.5.15192.168.2.4
                                                                                                                                                                                          Apr 18, 2024 09:41:47.696388960 CEST5870949746147.45.47.93192.168.2.4
                                                                                                                                                                                          Apr 18, 2024 09:41:47.696564913 CEST4974658709192.168.2.4147.45.47.93
                                                                                                                                                                                          Apr 18, 2024 09:41:47.719644070 CEST44349749104.26.5.15192.168.2.4
                                                                                                                                                                                          Apr 18, 2024 09:41:47.719749928 CEST44349749104.26.5.15192.168.2.4
                                                                                                                                                                                          Apr 18, 2024 09:41:47.720052004 CEST49749443192.168.2.4104.26.5.15
                                                                                                                                                                                          Apr 18, 2024 09:41:47.720156908 CEST49749443192.168.2.4104.26.5.15
                                                                                                                                                                                          Apr 18, 2024 09:41:47.720156908 CEST49749443192.168.2.4104.26.5.15
                                                                                                                                                                                          Apr 18, 2024 09:41:47.720197916 CEST44349749104.26.5.15192.168.2.4
                                                                                                                                                                                          Apr 18, 2024 09:41:47.720230103 CEST44349749104.26.5.15192.168.2.4
                                                                                                                                                                                          Apr 18, 2024 09:41:47.753813982 CEST44349750104.26.5.15192.168.2.4
                                                                                                                                                                                          Apr 18, 2024 09:41:47.754062891 CEST44349750104.26.5.15192.168.2.4
                                                                                                                                                                                          Apr 18, 2024 09:41:47.754128933 CEST49750443192.168.2.4104.26.5.15
                                                                                                                                                                                          Apr 18, 2024 09:41:47.754213095 CEST49750443192.168.2.4104.26.5.15
                                                                                                                                                                                          Apr 18, 2024 09:41:47.754225016 CEST44349750104.26.5.15192.168.2.4
                                                                                                                                                                                          Apr 18, 2024 09:41:47.754240036 CEST49750443192.168.2.4104.26.5.15
                                                                                                                                                                                          Apr 18, 2024 09:41:47.754245996 CEST44349750104.26.5.15192.168.2.4
                                                                                                                                                                                          Apr 18, 2024 09:41:47.821300030 CEST5870949739147.45.47.93192.168.2.4
                                                                                                                                                                                          Apr 18, 2024 09:41:47.821547985 CEST4973958709192.168.2.4147.45.47.93
                                                                                                                                                                                          Apr 18, 2024 09:41:47.962033987 CEST5870949746147.45.47.93192.168.2.4
                                                                                                                                                                                          Apr 18, 2024 09:41:47.962110043 CEST4974658709192.168.2.4147.45.47.93
                                                                                                                                                                                          Apr 18, 2024 09:41:48.086822987 CEST5870949739147.45.47.93192.168.2.4
                                                                                                                                                                                          Apr 18, 2024 09:41:48.227768898 CEST5870949746147.45.47.93192.168.2.4
                                                                                                                                                                                          Apr 18, 2024 09:41:48.856168985 CEST5870949730147.45.47.93192.168.2.4
                                                                                                                                                                                          Apr 18, 2024 09:41:48.905724049 CEST5870949731147.45.47.93192.168.2.4
                                                                                                                                                                                          Apr 18, 2024 09:41:48.908833981 CEST4973058709192.168.2.4147.45.47.93
                                                                                                                                                                                          Apr 18, 2024 09:41:48.920257092 CEST5870949732147.45.47.93192.168.2.4
                                                                                                                                                                                          Apr 18, 2024 09:41:48.971204042 CEST4973258709192.168.2.4147.45.47.93
                                                                                                                                                                                          Apr 18, 2024 09:41:49.002686024 CEST4973158709192.168.2.4147.45.47.93
                                                                                                                                                                                          Apr 18, 2024 09:41:49.002904892 CEST4973258709192.168.2.4147.45.47.93
                                                                                                                                                                                          Apr 18, 2024 09:41:49.274708986 CEST5870949732147.45.47.93192.168.2.4
                                                                                                                                                                                          Apr 18, 2024 09:41:49.274806976 CEST5870949731147.45.47.93192.168.2.4
                                                                                                                                                                                          Apr 18, 2024 09:41:49.962055922 CEST5870949730147.45.47.93192.168.2.4
                                                                                                                                                                                          Apr 18, 2024 09:41:49.962471008 CEST4973058709192.168.2.4147.45.47.93
                                                                                                                                                                                          Apr 18, 2024 09:41:49.966049910 CEST5870949731147.45.47.93192.168.2.4
                                                                                                                                                                                          Apr 18, 2024 09:41:49.982515097 CEST5870949732147.45.47.93192.168.2.4
                                                                                                                                                                                          Apr 18, 2024 09:41:50.033726931 CEST4973258709192.168.2.4147.45.47.93
                                                                                                                                                                                          Apr 18, 2024 09:41:50.111809969 CEST4973158709192.168.2.4147.45.47.93
                                                                                                                                                                                          Apr 18, 2024 09:41:50.139332056 CEST5870949739147.45.47.93192.168.2.4
                                                                                                                                                                                          Apr 18, 2024 09:41:50.144191027 CEST4973958709192.168.2.4147.45.47.93
                                                                                                                                                                                          Apr 18, 2024 09:41:50.227612972 CEST5870949730147.45.47.93192.168.2.4
                                                                                                                                                                                          Apr 18, 2024 09:41:50.244450092 CEST5870949746147.45.47.93192.168.2.4
                                                                                                                                                                                          Apr 18, 2024 09:41:50.286468029 CEST4974658709192.168.2.4147.45.47.93
                                                                                                                                                                                          Apr 18, 2024 09:41:50.418179035 CEST5870949739147.45.47.93192.168.2.4
                                                                                                                                                                                          Apr 18, 2024 09:41:50.558193922 CEST5870949746147.45.47.93192.168.2.4
                                                                                                                                                                                          Apr 18, 2024 09:41:51.634536982 CEST5870949732147.45.47.93192.168.2.4
                                                                                                                                                                                          Apr 18, 2024 09:41:51.634567976 CEST5870949731147.45.47.93192.168.2.4
                                                                                                                                                                                          Apr 18, 2024 09:41:51.634773016 CEST4973158709192.168.2.4147.45.47.93
                                                                                                                                                                                          Apr 18, 2024 09:41:51.635014057 CEST4973258709192.168.2.4147.45.47.93
                                                                                                                                                                                          Apr 18, 2024 09:41:51.857758045 CEST5870949739147.45.47.93192.168.2.4
                                                                                                                                                                                          Apr 18, 2024 09:41:51.899924994 CEST5870949732147.45.47.93192.168.2.4
                                                                                                                                                                                          Apr 18, 2024 09:41:51.899969101 CEST5870949731147.45.47.93192.168.2.4
                                                                                                                                                                                          Apr 18, 2024 09:41:51.941457987 CEST4973958709192.168.2.4147.45.47.93
                                                                                                                                                                                          Apr 18, 2024 09:41:51.997431993 CEST5870949746147.45.47.93192.168.2.4
                                                                                                                                                                                          Apr 18, 2024 09:41:52.051218033 CEST4974658709192.168.2.4147.45.47.93
                                                                                                                                                                                          Apr 18, 2024 09:41:52.212002993 CEST5870949739147.45.47.93192.168.2.4
                                                                                                                                                                                          Apr 18, 2024 09:41:52.321542978 CEST5870949746147.45.47.93192.168.2.4
                                                                                                                                                                                          Apr 18, 2024 09:41:53.264872074 CEST5870949739147.45.47.93192.168.2.4
                                                                                                                                                                                          Apr 18, 2024 09:41:53.264902115 CEST5870949739147.45.47.93192.168.2.4
                                                                                                                                                                                          Apr 18, 2024 09:41:53.264919996 CEST5870949739147.45.47.93192.168.2.4
                                                                                                                                                                                          Apr 18, 2024 09:41:53.264939070 CEST5870949739147.45.47.93192.168.2.4
                                                                                                                                                                                          Apr 18, 2024 09:41:53.264960051 CEST5870949739147.45.47.93192.168.2.4
                                                                                                                                                                                          Apr 18, 2024 09:41:53.264978886 CEST5870949739147.45.47.93192.168.2.4
                                                                                                                                                                                          Apr 18, 2024 09:41:53.264997959 CEST5870949739147.45.47.93192.168.2.4
                                                                                                                                                                                          Apr 18, 2024 09:41:53.265016079 CEST5870949739147.45.47.93192.168.2.4
                                                                                                                                                                                          Apr 18, 2024 09:41:53.265033960 CEST5870949739147.45.47.93192.168.2.4
                                                                                                                                                                                          Apr 18, 2024 09:41:53.265057087 CEST5870949739147.45.47.93192.168.2.4
                                                                                                                                                                                          Apr 18, 2024 09:41:53.265093088 CEST4973958709192.168.2.4147.45.47.93
                                                                                                                                                                                          Apr 18, 2024 09:41:53.265093088 CEST4973958709192.168.2.4147.45.47.93
                                                                                                                                                                                          Apr 18, 2024 09:41:53.265093088 CEST4973958709192.168.2.4147.45.47.93
                                                                                                                                                                                          Apr 18, 2024 09:41:53.265121937 CEST4973958709192.168.2.4147.45.47.93
                                                                                                                                                                                          Apr 18, 2024 09:41:53.298194885 CEST5870949746147.45.47.93192.168.2.4
                                                                                                                                                                                          Apr 18, 2024 09:41:53.298319101 CEST5870949746147.45.47.93192.168.2.4
                                                                                                                                                                                          Apr 18, 2024 09:41:53.298340082 CEST5870949746147.45.47.93192.168.2.4
                                                                                                                                                                                          Apr 18, 2024 09:41:53.298358917 CEST5870949746147.45.47.93192.168.2.4
                                                                                                                                                                                          Apr 18, 2024 09:41:53.298377991 CEST5870949746147.45.47.93192.168.2.4
                                                                                                                                                                                          Apr 18, 2024 09:41:53.298388958 CEST4974658709192.168.2.4147.45.47.93
                                                                                                                                                                                          Apr 18, 2024 09:41:53.298398018 CEST5870949746147.45.47.93192.168.2.4
                                                                                                                                                                                          Apr 18, 2024 09:41:53.298419952 CEST5870949746147.45.47.93192.168.2.4
                                                                                                                                                                                          Apr 18, 2024 09:41:53.298439026 CEST5870949746147.45.47.93192.168.2.4
                                                                                                                                                                                          Apr 18, 2024 09:41:53.298459053 CEST5870949746147.45.47.93192.168.2.4
                                                                                                                                                                                          Apr 18, 2024 09:41:53.298466921 CEST4974658709192.168.2.4147.45.47.93
                                                                                                                                                                                          Apr 18, 2024 09:41:53.298466921 CEST4974658709192.168.2.4147.45.47.93
                                                                                                                                                                                          Apr 18, 2024 09:41:53.298477888 CEST5870949746147.45.47.93192.168.2.4
                                                                                                                                                                                          Apr 18, 2024 09:41:53.298496008 CEST4974658709192.168.2.4147.45.47.93
                                                                                                                                                                                          Apr 18, 2024 09:41:53.298530102 CEST4974658709192.168.2.4147.45.47.93
                                                                                                                                                                                          Apr 18, 2024 09:41:53.335082054 CEST4973058709192.168.2.4147.45.47.93
                                                                                                                                                                                          Apr 18, 2024 09:41:53.484369040 CEST5870949739147.45.47.93192.168.2.4
                                                                                                                                                                                          Apr 18, 2024 09:41:53.484402895 CEST5870949739147.45.47.93192.168.2.4
                                                                                                                                                                                          Apr 18, 2024 09:41:53.484422922 CEST5870949739147.45.47.93192.168.2.4
                                                                                                                                                                                          Apr 18, 2024 09:41:53.484442949 CEST5870949739147.45.47.93192.168.2.4
                                                                                                                                                                                          Apr 18, 2024 09:41:53.484462976 CEST5870949739147.45.47.93192.168.2.4
                                                                                                                                                                                          Apr 18, 2024 09:41:53.484555006 CEST4973958709192.168.2.4147.45.47.93
                                                                                                                                                                                          Apr 18, 2024 09:41:53.484555006 CEST4973958709192.168.2.4147.45.47.93
                                                                                                                                                                                          Apr 18, 2024 09:41:53.520673037 CEST5870949746147.45.47.93192.168.2.4
                                                                                                                                                                                          Apr 18, 2024 09:41:53.520706892 CEST5870949746147.45.47.93192.168.2.4
                                                                                                                                                                                          Apr 18, 2024 09:41:53.520726919 CEST5870949746147.45.47.93192.168.2.4
                                                                                                                                                                                          Apr 18, 2024 09:41:53.520745039 CEST5870949746147.45.47.93192.168.2.4
                                                                                                                                                                                          Apr 18, 2024 09:41:53.520766020 CEST5870949746147.45.47.93192.168.2.4
                                                                                                                                                                                          Apr 18, 2024 09:41:53.520765066 CEST4974658709192.168.2.4147.45.47.93
                                                                                                                                                                                          Apr 18, 2024 09:41:53.520843029 CEST4974658709192.168.2.4147.45.47.93
                                                                                                                                                                                          Apr 18, 2024 09:41:53.533886909 CEST4974658709192.168.2.4147.45.47.93
                                                                                                                                                                                          Apr 18, 2024 09:41:53.533900023 CEST4973958709192.168.2.4147.45.47.93
                                                                                                                                                                                          Apr 18, 2024 09:41:53.602926970 CEST5870949730147.45.47.93192.168.2.4
                                                                                                                                                                                          Apr 18, 2024 09:41:53.684086084 CEST5870949730147.45.47.93192.168.2.4
                                                                                                                                                                                          Apr 18, 2024 09:41:53.806231976 CEST5870949739147.45.47.93192.168.2.4
                                                                                                                                                                                          Apr 18, 2024 09:41:53.806262970 CEST5870949746147.45.47.93192.168.2.4
                                                                                                                                                                                          Apr 18, 2024 09:41:53.830566883 CEST4973058709192.168.2.4147.45.47.93
                                                                                                                                                                                          Apr 18, 2024 09:41:53.887811899 CEST5870949739147.45.47.93192.168.2.4
                                                                                                                                                                                          Apr 18, 2024 09:41:53.893656015 CEST4973958709192.168.2.4147.45.47.93
                                                                                                                                                                                          Apr 18, 2024 09:41:53.935204029 CEST5870949746147.45.47.93192.168.2.4
                                                                                                                                                                                          Apr 18, 2024 09:41:54.002492905 CEST4974658709192.168.2.4147.45.47.93
                                                                                                                                                                                          Apr 18, 2024 09:41:54.023577929 CEST4974658709192.168.2.4147.45.47.93
                                                                                                                                                                                          Apr 18, 2024 09:41:54.165574074 CEST5870949739147.45.47.93192.168.2.4
                                                                                                                                                                                          Apr 18, 2024 09:41:54.231540918 CEST5870949739147.45.47.93192.168.2.4
                                                                                                                                                                                          Apr 18, 2024 09:41:54.262676954 CEST5870949746147.45.47.93192.168.2.4
                                                                                                                                                                                          Apr 18, 2024 09:41:54.315011024 CEST4974658709192.168.2.4147.45.47.93
                                                                                                                                                                                          Apr 18, 2024 09:41:54.315092087 CEST4973958709192.168.2.4147.45.47.93
                                                                                                                                                                                          Apr 18, 2024 09:41:54.899030924 CEST4973158709192.168.2.4147.45.47.93
                                                                                                                                                                                          Apr 18, 2024 09:41:54.901092052 CEST4973258709192.168.2.4147.45.47.93
                                                                                                                                                                                          Apr 18, 2024 09:41:55.165556908 CEST5870949732147.45.47.93192.168.2.4
                                                                                                                                                                                          Apr 18, 2024 09:41:55.165586948 CEST5870949731147.45.47.93192.168.2.4
                                                                                                                                                                                          Apr 18, 2024 09:41:55.416296005 CEST5870949731147.45.47.93192.168.2.4
                                                                                                                                                                                          Apr 18, 2024 09:41:55.431767941 CEST5870949732147.45.47.93192.168.2.4
                                                                                                                                                                                          Apr 18, 2024 09:41:55.518269062 CEST4973258709192.168.2.4147.45.47.93
                                                                                                                                                                                          Apr 18, 2024 09:41:55.611809015 CEST4973158709192.168.2.4147.45.47.93
                                                                                                                                                                                          Apr 18, 2024 09:42:02.523876905 CEST4973958709192.168.2.4147.45.47.93
                                                                                                                                                                                          Apr 18, 2024 09:42:02.790138006 CEST5870949739147.45.47.93192.168.2.4
                                                                                                                                                                                          Apr 18, 2024 09:42:02.806894064 CEST5870949739147.45.47.93192.168.2.4
                                                                                                                                                                                          Apr 18, 2024 09:42:03.002434969 CEST4973958709192.168.2.4147.45.47.93
                                                                                                                                                                                          Apr 18, 2024 09:42:05.650942087 CEST4973158709192.168.2.4147.45.47.93
                                                                                                                                                                                          Apr 18, 2024 09:42:05.651101112 CEST4973158709192.168.2.4147.45.47.93
                                                                                                                                                                                          Apr 18, 2024 09:42:05.869456053 CEST5870949731147.45.47.93192.168.2.4
                                                                                                                                                                                          Apr 18, 2024 09:42:05.869488001 CEST5870949731147.45.47.93192.168.2.4
                                                                                                                                                                                          Apr 18, 2024 09:42:05.869507074 CEST4973158709192.168.2.4147.45.47.93
                                                                                                                                                                                          Apr 18, 2024 09:42:05.869585037 CEST5870949731147.45.47.93192.168.2.4
                                                                                                                                                                                          Apr 18, 2024 09:42:06.133858919 CEST5870949731147.45.47.93192.168.2.4
                                                                                                                                                                                          Apr 18, 2024 09:42:08.705673933 CEST4973158709192.168.2.4147.45.47.93
                                                                                                                                                                                          Apr 18, 2024 09:42:08.924242973 CEST5870949731147.45.47.93192.168.2.4
                                                                                                                                                                                          Apr 18, 2024 09:42:12.844433069 CEST4973258709192.168.2.4147.45.47.93
                                                                                                                                                                                          Apr 18, 2024 09:42:12.844584942 CEST4973258709192.168.2.4147.45.47.93
                                                                                                                                                                                          Apr 18, 2024 09:42:13.064341068 CEST5870949732147.45.47.93192.168.2.4
                                                                                                                                                                                          Apr 18, 2024 09:42:13.064404964 CEST5870949732147.45.47.93192.168.2.4
                                                                                                                                                                                          Apr 18, 2024 09:42:13.064564943 CEST4973258709192.168.2.4147.45.47.93
                                                                                                                                                                                          Apr 18, 2024 09:42:13.250994921 CEST4974658709192.168.2.4147.45.47.93
                                                                                                                                                                                          Apr 18, 2024 09:42:13.336772919 CEST5870949732147.45.47.93192.168.2.4
                                                                                                                                                                                          Apr 18, 2024 09:42:13.377681017 CEST4973058709192.168.2.4147.45.47.93
                                                                                                                                                                                          Apr 18, 2024 09:42:13.377778053 CEST4973058709192.168.2.4147.45.47.93
                                                                                                                                                                                          Apr 18, 2024 09:42:13.524643898 CEST5870949746147.45.47.93192.168.2.4
                                                                                                                                                                                          Apr 18, 2024 09:42:13.599229097 CEST5870949730147.45.47.93192.168.2.4
                                                                                                                                                                                          Apr 18, 2024 09:42:13.599253893 CEST5870949730147.45.47.93192.168.2.4
                                                                                                                                                                                          Apr 18, 2024 09:42:13.599266052 CEST5870949730147.45.47.93192.168.2.4
                                                                                                                                                                                          Apr 18, 2024 09:42:13.599292040 CEST4973058709192.168.2.4147.45.47.93
                                                                                                                                                                                          Apr 18, 2024 09:42:13.868174076 CEST5870949730147.45.47.93192.168.2.4
                                                                                                                                                                                          Apr 18, 2024 09:42:14.231754065 CEST4973958709192.168.2.4147.45.47.93
                                                                                                                                                                                          Apr 18, 2024 09:42:14.231831074 CEST4973958709192.168.2.4147.45.47.93
                                                                                                                                                                                          Apr 18, 2024 09:42:14.450454950 CEST5870949739147.45.47.93192.168.2.4
                                                                                                                                                                                          Apr 18, 2024 09:42:14.450486898 CEST5870949739147.45.47.93192.168.2.4
                                                                                                                                                                                          Apr 18, 2024 09:42:14.450501919 CEST5870949739147.45.47.93192.168.2.4
                                                                                                                                                                                          Apr 18, 2024 09:42:14.450515985 CEST4973958709192.168.2.4147.45.47.93
                                                                                                                                                                                          Apr 18, 2024 09:42:14.698012114 CEST4974658709192.168.2.4147.45.47.93
                                                                                                                                                                                          Apr 18, 2024 09:42:14.698090076 CEST4974658709192.168.2.4147.45.47.93
                                                                                                                                                                                          Apr 18, 2024 09:42:14.712178946 CEST5870949739147.45.47.93192.168.2.4
                                                                                                                                                                                          Apr 18, 2024 09:42:14.919727087 CEST5870949746147.45.47.93192.168.2.4
                                                                                                                                                                                          Apr 18, 2024 09:42:14.919756889 CEST5870949746147.45.47.93192.168.2.4
                                                                                                                                                                                          Apr 18, 2024 09:42:14.919815063 CEST4974658709192.168.2.4147.45.47.93
                                                                                                                                                                                          Apr 18, 2024 09:42:14.919866085 CEST5870949746147.45.47.93192.168.2.4
                                                                                                                                                                                          Apr 18, 2024 09:42:15.196435928 CEST5870949746147.45.47.93192.168.2.4
                                                                                                                                                                                          Apr 18, 2024 09:42:15.893115997 CEST4973258709192.168.2.4147.45.47.93
                                                                                                                                                                                          Apr 18, 2024 09:42:16.111677885 CEST5870949732147.45.47.93192.168.2.4
                                                                                                                                                                                          Apr 18, 2024 09:42:16.442006111 CEST4973058709192.168.2.4147.45.47.93
                                                                                                                                                                                          Apr 18, 2024 09:42:16.663762093 CEST5870949730147.45.47.93192.168.2.4
                                                                                                                                                                                          Apr 18, 2024 09:42:17.268402100 CEST4973958709192.168.2.4147.45.47.93
                                                                                                                                                                                          Apr 18, 2024 09:42:17.486999989 CEST5870949739147.45.47.93192.168.2.4
                                                                                                                                                                                          Apr 18, 2024 09:42:17.705811977 CEST4974658709192.168.2.4147.45.47.93
                                                                                                                                                                                          Apr 18, 2024 09:42:17.927512884 CEST5870949746147.45.47.93192.168.2.4
                                                                                                                                                                                          Apr 18, 2024 09:42:24.681857109 CEST5870949746147.45.47.93192.168.2.4
                                                                                                                                                                                          Apr 18, 2024 09:42:24.681956053 CEST4974658709192.168.2.4147.45.47.93
                                                                                                                                                                                          Apr 18, 2024 09:42:45.212374926 CEST5870949731147.45.47.93192.168.2.4
                                                                                                                                                                                          Apr 18, 2024 09:42:45.212461948 CEST4973158709192.168.2.4147.45.47.93
                                                                                                                                                                                          Apr 18, 2024 09:42:51.977555037 CEST5870949730147.45.47.93192.168.2.4
                                                                                                                                                                                          Apr 18, 2024 09:42:51.977585077 CEST5870949732147.45.47.93192.168.2.4
                                                                                                                                                                                          Apr 18, 2024 09:42:51.977775097 CEST4973058709192.168.2.4147.45.47.93
                                                                                                                                                                                          Apr 18, 2024 09:42:51.977792025 CEST4973258709192.168.2.4147.45.47.93
                                                                                                                                                                                          Apr 18, 2024 09:42:53.743108034 CEST5870949739147.45.47.93192.168.2.4
                                                                                                                                                                                          Apr 18, 2024 09:42:53.743336916 CEST4973958709192.168.2.4147.45.47.93

                                                                                                                                                                                          UDP Packets

                                                                                                                                                                                          TimestampSource PortDest PortSource IPDest IP
                                                                                                                                                                                          Apr 18, 2024 09:41:23.515213013 CEST4946853192.168.2.41.1.1.1
                                                                                                                                                                                          Apr 18, 2024 09:41:23.620235920 CEST53494681.1.1.1192.168.2.4
                                                                                                                                                                                          Apr 18, 2024 09:41:25.982060909 CEST5496653192.168.2.41.1.1.1
                                                                                                                                                                                          Apr 18, 2024 09:41:26.088136911 CEST53549661.1.1.1192.168.2.4

                                                                                                                                                                                          DNS Queries

                                                                                                                                                                                          TimestampSource IPDest IPTrans IDOP CodeNameTypeClassDNS over HTTPS
                                                                                                                                                                                          Apr 18, 2024 09:41:23.515213013 CEST192.168.2.41.1.1.10x5889Standard query (0)ipinfo.ioA (IP address)IN (0x0001)false
                                                                                                                                                                                          Apr 18, 2024 09:41:25.982060909 CEST192.168.2.41.1.1.10x9d85Standard query (0)db-ip.comA (IP address)IN (0x0001)false

                                                                                                                                                                                          DNS Answers

                                                                                                                                                                                          TimestampSource IPDest IPTrans IDReply CodeNameCNameAddressTypeClassDNS over HTTPS
                                                                                                                                                                                          Apr 18, 2024 09:41:23.620235920 CEST1.1.1.1192.168.2.40x5889No error (0)ipinfo.io34.117.186.192A (IP address)IN (0x0001)false
                                                                                                                                                                                          Apr 18, 2024 09:41:26.088136911 CEST1.1.1.1192.168.2.40x9d85No error (0)db-ip.com104.26.5.15A (IP address)IN (0x0001)false
                                                                                                                                                                                          Apr 18, 2024 09:41:26.088136911 CEST1.1.1.1192.168.2.40x9d85No error (0)db-ip.com104.26.4.15A (IP address)IN (0x0001)false
                                                                                                                                                                                          Apr 18, 2024 09:41:26.088136911 CEST1.1.1.1192.168.2.40x9d85No error (0)db-ip.com172.67.75.166A (IP address)IN (0x0001)false

                                                                                                                                                                                          HTTP Request Dependency Graph

                                                                                                                                                                                          • https:
                                                                                                                                                                                            • ipinfo.io
                                                                                                                                                                                          • db-ip.com

                                                                                                                                                                                          HTTPS Proxied Packets

                                                                                                                                                                                          Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                                                                                                                                                                          0192.168.2.44973334.117.186.1924437028C:\Users\user\Desktop\dendy.exe
                                                                                                                                                                                          TimestampBytes transferredDirectionData
                                                                                                                                                                                          2024-04-18 07:41:25 UTC237OUTGET /widget/demo/81.181.57.52 HTTP/1.1
                                                                                                                                                                                          Connection: Keep-Alive
                                                                                                                                                                                          Referer: https://ipinfo.io/
                                                                                                                                                                                          User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/119.0.0.0 Safari/537.36
                                                                                                                                                                                          Host: ipinfo.io
                                                                                                                                                                                          2024-04-18 07:41:25 UTC513INHTTP/1.1 200 OK
                                                                                                                                                                                          server: nginx/1.24.0
                                                                                                                                                                                          date: Thu, 18 Apr 2024 07:41:25 GMT
                                                                                                                                                                                          content-type: application/json; charset=utf-8
                                                                                                                                                                                          Content-Length: 980
                                                                                                                                                                                          access-control-allow-origin: *
                                                                                                                                                                                          x-frame-options: SAMEORIGIN
                                                                                                                                                                                          x-xss-protection: 1; mode=block
                                                                                                                                                                                          x-content-type-options: nosniff
                                                                                                                                                                                          referrer-policy: strict-origin-when-cross-origin
                                                                                                                                                                                          x-envoy-upstream-service-time: 2
                                                                                                                                                                                          via: 1.1 google
                                                                                                                                                                                          strict-transport-security: max-age=2592000; includeSubDomains
                                                                                                                                                                                          Alt-Svc: h3=":443"; ma=2592000,h3-29=":443"; ma=2592000
                                                                                                                                                                                          Connection: close
                                                                                                                                                                                          2024-04-18 07:41:25 UTC742INData Raw: 7b 0a 20 20 22 69 6e 70 75 74 22 3a 20 22 38 31 2e 31 38 31 2e 35 37 2e 35 32 22 2c 0a 20 20 22 64 61 74 61 22 3a 20 7b 0a 20 20 20 20 22 69 70 22 3a 20 22 38 31 2e 31 38 31 2e 35 37 2e 35 32 22 2c 0a 20 20 20 20 22 63 69 74 79 22 3a 20 22 41 74 6c 61 6e 74 61 22 2c 0a 20 20 20 20 22 72 65 67 69 6f 6e 22 3a 20 22 47 65 6f 72 67 69 61 22 2c 0a 20 20 20 20 22 63 6f 75 6e 74 72 79 22 3a 20 22 55 53 22 2c 0a 20 20 20 20 22 6c 6f 63 22 3a 20 22 33 33 2e 37 34 39 30 2c 2d 38 34 2e 33 38 38 30 22 2c 0a 20 20 20 20 22 6f 72 67 22 3a 20 22 41 53 32 31 32 32 33 38 20 44 61 74 61 63 61 6d 70 20 4c 69 6d 69 74 65 64 22 2c 0a 20 20 20 20 22 70 6f 73 74 61 6c 22 3a 20 22 33 30 33 30 32 22 2c 0a 20 20 20 20 22 74 69 6d 65 7a 6f 6e 65 22 3a 20 22 41 6d 65 72 69 63 61 2f
                                                                                                                                                                                          Data Ascii: { "input": "81.181.57.52", "data": { "ip": "81.181.57.52", "city": "Atlanta", "region": "Georgia", "country": "US", "loc": "33.7490,-84.3880", "org": "AS212238 Datacamp Limited", "postal": "30302", "timezone": "America/
                                                                                                                                                                                          2024-04-18 07:41:25 UTC238INData Raw: 61 64 64 72 65 73 73 22 3a 20 22 41 76 65 72 65 73 63 75 20 4d 61 72 65 73 61 6c 20 38 2d 31 30 2c 20 42 75 63 68 61 72 65 73 74 2c 20 52 6f 6d 61 6e 69 61 22 2c 0a 20 20 20 20 20 20 22 63 6f 75 6e 74 72 79 22 3a 20 22 52 4f 22 2c 0a 20 20 20 20 20 20 22 65 6d 61 69 6c 22 3a 20 22 61 62 75 73 65 2d 62 69 6e 62 6f 78 40 72 6e 63 2e 72 6f 22 2c 0a 20 20 20 20 20 20 22 6e 61 6d 65 22 3a 20 22 41 62 75 73 65 20 63 6f 6e 74 61 63 74 20 72 6f 6c 65 20 6f 62 6a 65 63 74 22 2c 0a 20 20 20 20 20 20 22 6e 65 74 77 6f 72 6b 22 3a 20 22 38 31 2e 31 38 31 2e 34 38 2e 30 2f 32 30 22 2c 0a 20 20 20 20 20 20 22 70 68 6f 6e 65 22 3a 20 22 2b 34 30 20 33 37 38 20 36 30 30 20 30 30 30 22 0a 20 20 20 20 7d 0a 20 20 7d 0a 7d
                                                                                                                                                                                          Data Ascii: address": "Averescu Maresal 8-10, Bucharest, Romania", "country": "RO", "email": "abuse-binbox@rnc.ro", "name": "Abuse contact role object", "network": "81.181.48.0/20", "phone": "+40 378 600 000" } }}


                                                                                                                                                                                          Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                                                                                                                                                                          1192.168.2.449735104.26.5.154437028C:\Users\user\Desktop\dendy.exe
                                                                                                                                                                                          TimestampBytes transferredDirectionData
                                                                                                                                                                                          2024-04-18 07:41:28 UTC261OUTGET /demo/home.php?s=81.181.57.52 HTTP/1.1
                                                                                                                                                                                          Connection: Keep-Alive
                                                                                                                                                                                          Content-Type: application/x-www-form-urlencoded
                                                                                                                                                                                          User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/119.0.0.0 Safari/537.36
                                                                                                                                                                                          Host: db-ip.com
                                                                                                                                                                                          2024-04-18 07:41:28 UTC652INHTTP/1.1 200 OK
                                                                                                                                                                                          Date: Thu, 18 Apr 2024 07:41:28 GMT
                                                                                                                                                                                          Content-Type: application/json
                                                                                                                                                                                          Transfer-Encoding: chunked
                                                                                                                                                                                          Connection: close
                                                                                                                                                                                          x-iplb-request-id: AC471628:2740_93878F2E:0050_6620CEA8_8A2111E:4F34
                                                                                                                                                                                          x-iplb-instance: 59215
                                                                                                                                                                                          CF-Cache-Status: DYNAMIC
                                                                                                                                                                                          Report-To: {"endpoints":[{"url":"https:\/\/a.nel.cloudflare.com\/report\/v4?s=lengErSF2xqO5o8C3qllkMfzicW2ueOlUdUnE5hBBpMWIha3N8o3FhLwQoXzuBn8SaZrwfaB9XgbygeSobr8klNXa9PKmhcE0DpZ3cx%2Bm1R%2FiLPjganN0l5Tlw%3D%3D"}],"group":"cf-nel","max_age":604800}
                                                                                                                                                                                          NEL: {"success_fraction":0,"report_to":"cf-nel","max_age":604800}
                                                                                                                                                                                          Server: cloudflare
                                                                                                                                                                                          CF-RAY: 8763033aec2cb0ed-ATL
                                                                                                                                                                                          alt-svc: h3=":443"; ma=86400
                                                                                                                                                                                          2024-04-18 07:41:28 UTC699INData Raw: 32 62 34 0d 0a 7b 22 73 74 61 74 75 73 22 3a 22 6f 6b 22 2c 22 64 65 6d 6f 49 6e 66 6f 22 3a 7b 22 69 70 41 64 64 72 65 73 73 22 3a 22 38 31 2e 31 38 31 2e 35 37 2e 35 32 22 2c 22 63 6f 6e 74 69 6e 65 6e 74 43 6f 64 65 22 3a 22 4e 41 22 2c 22 63 6f 6e 74 69 6e 65 6e 74 4e 61 6d 65 22 3a 22 4e 6f 72 74 68 20 41 6d 65 72 69 63 61 22 2c 22 63 6f 75 6e 74 72 79 43 6f 64 65 22 3a 22 55 53 22 2c 22 63 6f 75 6e 74 72 79 4e 61 6d 65 22 3a 22 55 6e 69 74 65 64 20 53 74 61 74 65 73 22 2c 22 69 73 45 75 4d 65 6d 62 65 72 22 3a 66 61 6c 73 65 2c 22 63 75 72 72 65 6e 63 79 43 6f 64 65 22 3a 22 55 53 44 22 2c 22 63 75 72 72 65 6e 63 79 4e 61 6d 65 22 3a 22 44 6f 6c 6c 61 72 22 2c 22 70 68 6f 6e 65 50 72 65 66 69 78 22 3a 22 31 22 2c 22 6c 61 6e 67 75 61 67 65 73 22 3a
                                                                                                                                                                                          Data Ascii: 2b4{"status":"ok","demoInfo":{"ipAddress":"81.181.57.52","continentCode":"NA","continentName":"North America","countryCode":"US","countryName":"United States","isEuMember":false,"currencyCode":"USD","currencyName":"Dollar","phonePrefix":"1","languages":
                                                                                                                                                                                          2024-04-18 07:41:28 UTC5INData Raw: 30 0d 0a 0d 0a
                                                                                                                                                                                          Data Ascii: 0


                                                                                                                                                                                          Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                                                                                                                                                                          2192.168.2.44974134.117.186.1924436996C:\ProgramData\MPGPH131\MPGPH131.exe
                                                                                                                                                                                          TimestampBytes transferredDirectionData
                                                                                                                                                                                          2024-04-18 07:41:29 UTC237OUTGET /widget/demo/81.181.57.52 HTTP/1.1
                                                                                                                                                                                          Connection: Keep-Alive
                                                                                                                                                                                          Referer: https://ipinfo.io/
                                                                                                                                                                                          User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/119.0.0.0 Safari/537.36
                                                                                                                                                                                          Host: ipinfo.io
                                                                                                                                                                                          2024-04-18 07:41:29 UTC513INHTTP/1.1 200 OK
                                                                                                                                                                                          server: nginx/1.24.0
                                                                                                                                                                                          date: Thu, 18 Apr 2024 07:41:29 GMT
                                                                                                                                                                                          content-type: application/json; charset=utf-8
                                                                                                                                                                                          Content-Length: 980
                                                                                                                                                                                          access-control-allow-origin: *
                                                                                                                                                                                          x-frame-options: SAMEORIGIN
                                                                                                                                                                                          x-xss-protection: 1; mode=block
                                                                                                                                                                                          x-content-type-options: nosniff
                                                                                                                                                                                          referrer-policy: strict-origin-when-cross-origin
                                                                                                                                                                                          x-envoy-upstream-service-time: 2
                                                                                                                                                                                          via: 1.1 google
                                                                                                                                                                                          strict-transport-security: max-age=2592000; includeSubDomains
                                                                                                                                                                                          Alt-Svc: h3=":443"; ma=2592000,h3-29=":443"; ma=2592000
                                                                                                                                                                                          Connection: close
                                                                                                                                                                                          2024-04-18 07:41:29 UTC742INData Raw: 7b 0a 20 20 22 69 6e 70 75 74 22 3a 20 22 38 31 2e 31 38 31 2e 35 37 2e 35 32 22 2c 0a 20 20 22 64 61 74 61 22 3a 20 7b 0a 20 20 20 20 22 69 70 22 3a 20 22 38 31 2e 31 38 31 2e 35 37 2e 35 32 22 2c 0a 20 20 20 20 22 63 69 74 79 22 3a 20 22 41 74 6c 61 6e 74 61 22 2c 0a 20 20 20 20 22 72 65 67 69 6f 6e 22 3a 20 22 47 65 6f 72 67 69 61 22 2c 0a 20 20 20 20 22 63 6f 75 6e 74 72 79 22 3a 20 22 55 53 22 2c 0a 20 20 20 20 22 6c 6f 63 22 3a 20 22 33 33 2e 37 34 39 30 2c 2d 38 34 2e 33 38 38 30 22 2c 0a 20 20 20 20 22 6f 72 67 22 3a 20 22 41 53 32 31 32 32 33 38 20 44 61 74 61 63 61 6d 70 20 4c 69 6d 69 74 65 64 22 2c 0a 20 20 20 20 22 70 6f 73 74 61 6c 22 3a 20 22 33 30 33 30 32 22 2c 0a 20 20 20 20 22 74 69 6d 65 7a 6f 6e 65 22 3a 20 22 41 6d 65 72 69 63 61 2f
                                                                                                                                                                                          Data Ascii: { "input": "81.181.57.52", "data": { "ip": "81.181.57.52", "city": "Atlanta", "region": "Georgia", "country": "US", "loc": "33.7490,-84.3880", "org": "AS212238 Datacamp Limited", "postal": "30302", "timezone": "America/
                                                                                                                                                                                          2024-04-18 07:41:29 UTC238INData Raw: 61 64 64 72 65 73 73 22 3a 20 22 41 76 65 72 65 73 63 75 20 4d 61 72 65 73 61 6c 20 38 2d 31 30 2c 20 42 75 63 68 61 72 65 73 74 2c 20 52 6f 6d 61 6e 69 61 22 2c 0a 20 20 20 20 20 20 22 63 6f 75 6e 74 72 79 22 3a 20 22 52 4f 22 2c 0a 20 20 20 20 20 20 22 65 6d 61 69 6c 22 3a 20 22 61 62 75 73 65 2d 62 69 6e 62 6f 78 40 72 6e 63 2e 72 6f 22 2c 0a 20 20 20 20 20 20 22 6e 61 6d 65 22 3a 20 22 41 62 75 73 65 20 63 6f 6e 74 61 63 74 20 72 6f 6c 65 20 6f 62 6a 65 63 74 22 2c 0a 20 20 20 20 20 20 22 6e 65 74 77 6f 72 6b 22 3a 20 22 38 31 2e 31 38 31 2e 34 38 2e 30 2f 32 30 22 2c 0a 20 20 20 20 20 20 22 70 68 6f 6e 65 22 3a 20 22 2b 34 30 20 33 37 38 20 36 30 30 20 30 30 30 22 0a 20 20 20 20 7d 0a 20 20 7d 0a 7d
                                                                                                                                                                                          Data Ascii: address": "Averescu Maresal 8-10, Bucharest, Romania", "country": "RO", "email": "abuse-binbox@rnc.ro", "name": "Abuse contact role object", "network": "81.181.48.0/20", "phone": "+40 378 600 000" } }}


                                                                                                                                                                                          Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                                                                                                                                                                          3192.168.2.44974034.117.186.1924436688C:\ProgramData\MPGPH131\MPGPH131.exe
                                                                                                                                                                                          TimestampBytes transferredDirectionData
                                                                                                                                                                                          2024-04-18 07:41:29 UTC237OUTGET /widget/demo/81.181.57.52 HTTP/1.1
                                                                                                                                                                                          Connection: Keep-Alive
                                                                                                                                                                                          Referer: https://ipinfo.io/
                                                                                                                                                                                          User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/119.0.0.0 Safari/537.36
                                                                                                                                                                                          Host: ipinfo.io
                                                                                                                                                                                          2024-04-18 07:41:29 UTC513INHTTP/1.1 200 OK
                                                                                                                                                                                          server: nginx/1.24.0
                                                                                                                                                                                          date: Thu, 18 Apr 2024 07:41:29 GMT
                                                                                                                                                                                          content-type: application/json; charset=utf-8
                                                                                                                                                                                          Content-Length: 980
                                                                                                                                                                                          access-control-allow-origin: *
                                                                                                                                                                                          x-frame-options: SAMEORIGIN
                                                                                                                                                                                          x-xss-protection: 1; mode=block
                                                                                                                                                                                          x-content-type-options: nosniff
                                                                                                                                                                                          referrer-policy: strict-origin-when-cross-origin
                                                                                                                                                                                          x-envoy-upstream-service-time: 3
                                                                                                                                                                                          via: 1.1 google
                                                                                                                                                                                          strict-transport-security: max-age=2592000; includeSubDomains
                                                                                                                                                                                          Alt-Svc: h3=":443"; ma=2592000,h3-29=":443"; ma=2592000
                                                                                                                                                                                          Connection: close
                                                                                                                                                                                          2024-04-18 07:41:29 UTC742INData Raw: 7b 0a 20 20 22 69 6e 70 75 74 22 3a 20 22 38 31 2e 31 38 31 2e 35 37 2e 35 32 22 2c 0a 20 20 22 64 61 74 61 22 3a 20 7b 0a 20 20 20 20 22 69 70 22 3a 20 22 38 31 2e 31 38 31 2e 35 37 2e 35 32 22 2c 0a 20 20 20 20 22 63 69 74 79 22 3a 20 22 41 74 6c 61 6e 74 61 22 2c 0a 20 20 20 20 22 72 65 67 69 6f 6e 22 3a 20 22 47 65 6f 72 67 69 61 22 2c 0a 20 20 20 20 22 63 6f 75 6e 74 72 79 22 3a 20 22 55 53 22 2c 0a 20 20 20 20 22 6c 6f 63 22 3a 20 22 33 33 2e 37 34 39 30 2c 2d 38 34 2e 33 38 38 30 22 2c 0a 20 20 20 20 22 6f 72 67 22 3a 20 22 41 53 32 31 32 32 33 38 20 44 61 74 61 63 61 6d 70 20 4c 69 6d 69 74 65 64 22 2c 0a 20 20 20 20 22 70 6f 73 74 61 6c 22 3a 20 22 33 30 33 30 32 22 2c 0a 20 20 20 20 22 74 69 6d 65 7a 6f 6e 65 22 3a 20 22 41 6d 65 72 69 63 61 2f
                                                                                                                                                                                          Data Ascii: { "input": "81.181.57.52", "data": { "ip": "81.181.57.52", "city": "Atlanta", "region": "Georgia", "country": "US", "loc": "33.7490,-84.3880", "org": "AS212238 Datacamp Limited", "postal": "30302", "timezone": "America/
                                                                                                                                                                                          2024-04-18 07:41:29 UTC238INData Raw: 61 64 64 72 65 73 73 22 3a 20 22 41 76 65 72 65 73 63 75 20 4d 61 72 65 73 61 6c 20 38 2d 31 30 2c 20 42 75 63 68 61 72 65 73 74 2c 20 52 6f 6d 61 6e 69 61 22 2c 0a 20 20 20 20 20 20 22 63 6f 75 6e 74 72 79 22 3a 20 22 52 4f 22 2c 0a 20 20 20 20 20 20 22 65 6d 61 69 6c 22 3a 20 22 61 62 75 73 65 2d 62 69 6e 62 6f 78 40 72 6e 63 2e 72 6f 22 2c 0a 20 20 20 20 20 20 22 6e 61 6d 65 22 3a 20 22 41 62 75 73 65 20 63 6f 6e 74 61 63 74 20 72 6f 6c 65 20 6f 62 6a 65 63 74 22 2c 0a 20 20 20 20 20 20 22 6e 65 74 77 6f 72 6b 22 3a 20 22 38 31 2e 31 38 31 2e 34 38 2e 30 2f 32 30 22 2c 0a 20 20 20 20 20 20 22 70 68 6f 6e 65 22 3a 20 22 2b 34 30 20 33 37 38 20 36 30 30 20 30 30 30 22 0a 20 20 20 20 7d 0a 20 20 7d 0a 7d
                                                                                                                                                                                          Data Ascii: address": "Averescu Maresal 8-10, Bucharest, Romania", "country": "RO", "email": "abuse-binbox@rnc.ro", "name": "Abuse contact role object", "network": "81.181.48.0/20", "phone": "+40 378 600 000" } }}


                                                                                                                                                                                          Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                                                                                                                                                                          4192.168.2.449743104.26.5.154436996C:\ProgramData\MPGPH131\MPGPH131.exe
                                                                                                                                                                                          TimestampBytes transferredDirectionData
                                                                                                                                                                                          2024-04-18 07:41:29 UTC261OUTGET /demo/home.php?s=81.181.57.52 HTTP/1.1
                                                                                                                                                                                          Connection: Keep-Alive
                                                                                                                                                                                          Content-Type: application/x-www-form-urlencoded
                                                                                                                                                                                          User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/119.0.0.0 Safari/537.36
                                                                                                                                                                                          Host: db-ip.com
                                                                                                                                                                                          2024-04-18 07:41:30 UTC656INHTTP/1.1 200 OK
                                                                                                                                                                                          Date: Thu, 18 Apr 2024 07:41:30 GMT
                                                                                                                                                                                          Content-Type: application/json
                                                                                                                                                                                          Transfer-Encoding: chunked
                                                                                                                                                                                          Connection: close
                                                                                                                                                                                          x-iplb-request-id: AC471E72:2E58_93878F2E:0050_6620CEAA_8A2115C:4F34
                                                                                                                                                                                          x-iplb-instance: 59215
                                                                                                                                                                                          CF-Cache-Status: DYNAMIC
                                                                                                                                                                                          Report-To: {"endpoints":[{"url":"https:\/\/a.nel.cloudflare.com\/report\/v4?s=bPHgcabrtfLpcW2VR%2BUo8l1219Kg6cvZdwDU9K%2FxAiHEdOlR7dur0ECGpvOBXyKPKyvrSSO2G6XUPJAQnHqhXVmif7rvcnO7U2knB6JnY0K6vCI%2B1MBZ8boU%2BQ%3D%3D"}],"group":"cf-nel","max_age":604800}
                                                                                                                                                                                          NEL: {"success_fraction":0,"report_to":"cf-nel","max_age":604800}
                                                                                                                                                                                          Server: cloudflare
                                                                                                                                                                                          CF-RAY: 87630347ae6553e5-ATL
                                                                                                                                                                                          alt-svc: h3=":443"; ma=86400
                                                                                                                                                                                          2024-04-18 07:41:30 UTC699INData Raw: 32 62 34 0d 0a 7b 22 73 74 61 74 75 73 22 3a 22 6f 6b 22 2c 22 64 65 6d 6f 49 6e 66 6f 22 3a 7b 22 69 70 41 64 64 72 65 73 73 22 3a 22 38 31 2e 31 38 31 2e 35 37 2e 35 32 22 2c 22 63 6f 6e 74 69 6e 65 6e 74 43 6f 64 65 22 3a 22 4e 41 22 2c 22 63 6f 6e 74 69 6e 65 6e 74 4e 61 6d 65 22 3a 22 4e 6f 72 74 68 20 41 6d 65 72 69 63 61 22 2c 22 63 6f 75 6e 74 72 79 43 6f 64 65 22 3a 22 55 53 22 2c 22 63 6f 75 6e 74 72 79 4e 61 6d 65 22 3a 22 55 6e 69 74 65 64 20 53 74 61 74 65 73 22 2c 22 69 73 45 75 4d 65 6d 62 65 72 22 3a 66 61 6c 73 65 2c 22 63 75 72 72 65 6e 63 79 43 6f 64 65 22 3a 22 55 53 44 22 2c 22 63 75 72 72 65 6e 63 79 4e 61 6d 65 22 3a 22 44 6f 6c 6c 61 72 22 2c 22 70 68 6f 6e 65 50 72 65 66 69 78 22 3a 22 31 22 2c 22 6c 61 6e 67 75 61 67 65 73 22 3a
                                                                                                                                                                                          Data Ascii: 2b4{"status":"ok","demoInfo":{"ipAddress":"81.181.57.52","continentCode":"NA","continentName":"North America","countryCode":"US","countryName":"United States","isEuMember":false,"currencyCode":"USD","currencyName":"Dollar","phonePrefix":"1","languages":
                                                                                                                                                                                          2024-04-18 07:41:30 UTC5INData Raw: 30 0d 0a 0d 0a
                                                                                                                                                                                          Data Ascii: 0


                                                                                                                                                                                          Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                                                                                                                                                                          5192.168.2.449744104.26.5.154436688C:\ProgramData\MPGPH131\MPGPH131.exe
                                                                                                                                                                                          TimestampBytes transferredDirectionData
                                                                                                                                                                                          2024-04-18 07:41:30 UTC261OUTGET /demo/home.php?s=81.181.57.52 HTTP/1.1
                                                                                                                                                                                          Connection: Keep-Alive
                                                                                                                                                                                          Content-Type: application/x-www-form-urlencoded
                                                                                                                                                                                          User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/119.0.0.0 Safari/537.36
                                                                                                                                                                                          Host: db-ip.com
                                                                                                                                                                                          2024-04-18 07:41:30 UTC656INHTTP/1.1 200 OK
                                                                                                                                                                                          Date: Thu, 18 Apr 2024 07:41:30 GMT
                                                                                                                                                                                          Content-Type: application/json
                                                                                                                                                                                          Transfer-Encoding: chunked
                                                                                                                                                                                          Connection: close
                                                                                                                                                                                          x-iplb-request-id: AC454653:516A_93878F2E:0050_6620CEAA_89F4498:7B63
                                                                                                                                                                                          x-iplb-instance: 59128
                                                                                                                                                                                          CF-Cache-Status: DYNAMIC
                                                                                                                                                                                          Report-To: {"endpoints":[{"url":"https:\/\/a.nel.cloudflare.com\/report\/v4?s=wGZJJhdEK7MACRv5GemiFIswf6%2BI5D3yJtyAS7TantmutIJ0YCKYNqBgeQJ0VGSk0R1Qyah5yT52HjBhbtOM7Tl0oHlP2p%2F8gRScU%2BVNHfo2oUG2ryP28%2FZr1g%3D%3D"}],"group":"cf-nel","max_age":604800}
                                                                                                                                                                                          NEL: {"success_fraction":0,"report_to":"cf-nel","max_age":604800}
                                                                                                                                                                                          Server: cloudflare
                                                                                                                                                                                          CF-RAY: 87630347ed386775-ATL
                                                                                                                                                                                          alt-svc: h3=":443"; ma=86400
                                                                                                                                                                                          2024-04-18 07:41:30 UTC699INData Raw: 32 62 34 0d 0a 7b 22 73 74 61 74 75 73 22 3a 22 6f 6b 22 2c 22 64 65 6d 6f 49 6e 66 6f 22 3a 7b 22 69 70 41 64 64 72 65 73 73 22 3a 22 38 31 2e 31 38 31 2e 35 37 2e 35 32 22 2c 22 63 6f 6e 74 69 6e 65 6e 74 43 6f 64 65 22 3a 22 4e 41 22 2c 22 63 6f 6e 74 69 6e 65 6e 74 4e 61 6d 65 22 3a 22 4e 6f 72 74 68 20 41 6d 65 72 69 63 61 22 2c 22 63 6f 75 6e 74 72 79 43 6f 64 65 22 3a 22 55 53 22 2c 22 63 6f 75 6e 74 72 79 4e 61 6d 65 22 3a 22 55 6e 69 74 65 64 20 53 74 61 74 65 73 22 2c 22 69 73 45 75 4d 65 6d 62 65 72 22 3a 66 61 6c 73 65 2c 22 63 75 72 72 65 6e 63 79 43 6f 64 65 22 3a 22 55 53 44 22 2c 22 63 75 72 72 65 6e 63 79 4e 61 6d 65 22 3a 22 44 6f 6c 6c 61 72 22 2c 22 70 68 6f 6e 65 50 72 65 66 69 78 22 3a 22 31 22 2c 22 6c 61 6e 67 75 61 67 65 73 22 3a
                                                                                                                                                                                          Data Ascii: 2b4{"status":"ok","demoInfo":{"ipAddress":"81.181.57.52","continentCode":"NA","continentName":"North America","countryCode":"US","countryName":"United States","isEuMember":false,"currencyCode":"USD","currencyName":"Dollar","phonePrefix":"1","languages":
                                                                                                                                                                                          2024-04-18 07:41:30 UTC5INData Raw: 30 0d 0a 0d 0a
                                                                                                                                                                                          Data Ascii: 0


                                                                                                                                                                                          Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                                                                                                                                                                          6192.168.2.44974734.117.186.1924435164C:\Users\user\AppData\Local\RageMP131\RageMP131.exe
                                                                                                                                                                                          TimestampBytes transferredDirectionData
                                                                                                                                                                                          2024-04-18 07:41:46 UTC237OUTGET /widget/demo/81.181.57.52 HTTP/1.1
                                                                                                                                                                                          Connection: Keep-Alive
                                                                                                                                                                                          Referer: https://ipinfo.io/
                                                                                                                                                                                          User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/119.0.0.0 Safari/537.36
                                                                                                                                                                                          Host: ipinfo.io
                                                                                                                                                                                          2024-04-18 07:41:47 UTC513INHTTP/1.1 200 OK
                                                                                                                                                                                          server: nginx/1.24.0
                                                                                                                                                                                          date: Thu, 18 Apr 2024 07:41:47 GMT
                                                                                                                                                                                          content-type: application/json; charset=utf-8
                                                                                                                                                                                          Content-Length: 980
                                                                                                                                                                                          access-control-allow-origin: *
                                                                                                                                                                                          x-frame-options: SAMEORIGIN
                                                                                                                                                                                          x-xss-protection: 1; mode=block
                                                                                                                                                                                          x-content-type-options: nosniff
                                                                                                                                                                                          referrer-policy: strict-origin-when-cross-origin
                                                                                                                                                                                          x-envoy-upstream-service-time: 2
                                                                                                                                                                                          via: 1.1 google
                                                                                                                                                                                          strict-transport-security: max-age=2592000; includeSubDomains
                                                                                                                                                                                          Alt-Svc: h3=":443"; ma=2592000,h3-29=":443"; ma=2592000
                                                                                                                                                                                          Connection: close
                                                                                                                                                                                          2024-04-18 07:41:47 UTC742INData Raw: 7b 0a 20 20 22 69 6e 70 75 74 22 3a 20 22 38 31 2e 31 38 31 2e 35 37 2e 35 32 22 2c 0a 20 20 22 64 61 74 61 22 3a 20 7b 0a 20 20 20 20 22 69 70 22 3a 20 22 38 31 2e 31 38 31 2e 35 37 2e 35 32 22 2c 0a 20 20 20 20 22 63 69 74 79 22 3a 20 22 41 74 6c 61 6e 74 61 22 2c 0a 20 20 20 20 22 72 65 67 69 6f 6e 22 3a 20 22 47 65 6f 72 67 69 61 22 2c 0a 20 20 20 20 22 63 6f 75 6e 74 72 79 22 3a 20 22 55 53 22 2c 0a 20 20 20 20 22 6c 6f 63 22 3a 20 22 33 33 2e 37 34 39 30 2c 2d 38 34 2e 33 38 38 30 22 2c 0a 20 20 20 20 22 6f 72 67 22 3a 20 22 41 53 32 31 32 32 33 38 20 44 61 74 61 63 61 6d 70 20 4c 69 6d 69 74 65 64 22 2c 0a 20 20 20 20 22 70 6f 73 74 61 6c 22 3a 20 22 33 30 33 30 32 22 2c 0a 20 20 20 20 22 74 69 6d 65 7a 6f 6e 65 22 3a 20 22 41 6d 65 72 69 63 61 2f
                                                                                                                                                                                          Data Ascii: { "input": "81.181.57.52", "data": { "ip": "81.181.57.52", "city": "Atlanta", "region": "Georgia", "country": "US", "loc": "33.7490,-84.3880", "org": "AS212238 Datacamp Limited", "postal": "30302", "timezone": "America/
                                                                                                                                                                                          2024-04-18 07:41:47 UTC238INData Raw: 61 64 64 72 65 73 73 22 3a 20 22 41 76 65 72 65 73 63 75 20 4d 61 72 65 73 61 6c 20 38 2d 31 30 2c 20 42 75 63 68 61 72 65 73 74 2c 20 52 6f 6d 61 6e 69 61 22 2c 0a 20 20 20 20 20 20 22 63 6f 75 6e 74 72 79 22 3a 20 22 52 4f 22 2c 0a 20 20 20 20 20 20 22 65 6d 61 69 6c 22 3a 20 22 61 62 75 73 65 2d 62 69 6e 62 6f 78 40 72 6e 63 2e 72 6f 22 2c 0a 20 20 20 20 20 20 22 6e 61 6d 65 22 3a 20 22 41 62 75 73 65 20 63 6f 6e 74 61 63 74 20 72 6f 6c 65 20 6f 62 6a 65 63 74 22 2c 0a 20 20 20 20 20 20 22 6e 65 74 77 6f 72 6b 22 3a 20 22 38 31 2e 31 38 31 2e 34 38 2e 30 2f 32 30 22 2c 0a 20 20 20 20 20 20 22 70 68 6f 6e 65 22 3a 20 22 2b 34 30 20 33 37 38 20 36 30 30 20 30 30 30 22 0a 20 20 20 20 7d 0a 20 20 7d 0a 7d
                                                                                                                                                                                          Data Ascii: address": "Averescu Maresal 8-10, Bucharest, Romania", "country": "RO", "email": "abuse-binbox@rnc.ro", "name": "Abuse contact role object", "network": "81.181.48.0/20", "phone": "+40 378 600 000" } }}


                                                                                                                                                                                          Session IDSource IPSource PortDestination IPDestination Port
                                                                                                                                                                                          7192.168.2.44974834.117.186.192443
                                                                                                                                                                                          TimestampBytes transferredDirectionData
                                                                                                                                                                                          2024-04-18 07:41:47 UTC237OUTGET /widget/demo/81.181.57.52 HTTP/1.1
                                                                                                                                                                                          Connection: Keep-Alive
                                                                                                                                                                                          Referer: https://ipinfo.io/
                                                                                                                                                                                          User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/119.0.0.0 Safari/537.36
                                                                                                                                                                                          Host: ipinfo.io
                                                                                                                                                                                          2024-04-18 07:41:47 UTC513INHTTP/1.1 200 OK
                                                                                                                                                                                          server: nginx/1.24.0
                                                                                                                                                                                          date: Thu, 18 Apr 2024 07:41:47 GMT
                                                                                                                                                                                          content-type: application/json; charset=utf-8
                                                                                                                                                                                          Content-Length: 980
                                                                                                                                                                                          access-control-allow-origin: *
                                                                                                                                                                                          x-frame-options: SAMEORIGIN
                                                                                                                                                                                          x-xss-protection: 1; mode=block
                                                                                                                                                                                          x-content-type-options: nosniff
                                                                                                                                                                                          referrer-policy: strict-origin-when-cross-origin
                                                                                                                                                                                          x-envoy-upstream-service-time: 1
                                                                                                                                                                                          via: 1.1 google
                                                                                                                                                                                          strict-transport-security: max-age=2592000; includeSubDomains
                                                                                                                                                                                          Alt-Svc: h3=":443"; ma=2592000,h3-29=":443"; ma=2592000
                                                                                                                                                                                          Connection: close
                                                                                                                                                                                          2024-04-18 07:41:47 UTC742INData Raw: 7b 0a 20 20 22 69 6e 70 75 74 22 3a 20 22 38 31 2e 31 38 31 2e 35 37 2e 35 32 22 2c 0a 20 20 22 64 61 74 61 22 3a 20 7b 0a 20 20 20 20 22 69 70 22 3a 20 22 38 31 2e 31 38 31 2e 35 37 2e 35 32 22 2c 0a 20 20 20 20 22 63 69 74 79 22 3a 20 22 41 74 6c 61 6e 74 61 22 2c 0a 20 20 20 20 22 72 65 67 69 6f 6e 22 3a 20 22 47 65 6f 72 67 69 61 22 2c 0a 20 20 20 20 22 63 6f 75 6e 74 72 79 22 3a 20 22 55 53 22 2c 0a 20 20 20 20 22 6c 6f 63 22 3a 20 22 33 33 2e 37 34 39 30 2c 2d 38 34 2e 33 38 38 30 22 2c 0a 20 20 20 20 22 6f 72 67 22 3a 20 22 41 53 32 31 32 32 33 38 20 44 61 74 61 63 61 6d 70 20 4c 69 6d 69 74 65 64 22 2c 0a 20 20 20 20 22 70 6f 73 74 61 6c 22 3a 20 22 33 30 33 30 32 22 2c 0a 20 20 20 20 22 74 69 6d 65 7a 6f 6e 65 22 3a 20 22 41 6d 65 72 69 63 61 2f
                                                                                                                                                                                          Data Ascii: { "input": "81.181.57.52", "data": { "ip": "81.181.57.52", "city": "Atlanta", "region": "Georgia", "country": "US", "loc": "33.7490,-84.3880", "org": "AS212238 Datacamp Limited", "postal": "30302", "timezone": "America/
                                                                                                                                                                                          2024-04-18 07:41:47 UTC238INData Raw: 61 64 64 72 65 73 73 22 3a 20 22 41 76 65 72 65 73 63 75 20 4d 61 72 65 73 61 6c 20 38 2d 31 30 2c 20 42 75 63 68 61 72 65 73 74 2c 20 52 6f 6d 61 6e 69 61 22 2c 0a 20 20 20 20 20 20 22 63 6f 75 6e 74 72 79 22 3a 20 22 52 4f 22 2c 0a 20 20 20 20 20 20 22 65 6d 61 69 6c 22 3a 20 22 61 62 75 73 65 2d 62 69 6e 62 6f 78 40 72 6e 63 2e 72 6f 22 2c 0a 20 20 20 20 20 20 22 6e 61 6d 65 22 3a 20 22 41 62 75 73 65 20 63 6f 6e 74 61 63 74 20 72 6f 6c 65 20 6f 62 6a 65 63 74 22 2c 0a 20 20 20 20 20 20 22 6e 65 74 77 6f 72 6b 22 3a 20 22 38 31 2e 31 38 31 2e 34 38 2e 30 2f 32 30 22 2c 0a 20 20 20 20 20 20 22 70 68 6f 6e 65 22 3a 20 22 2b 34 30 20 33 37 38 20 36 30 30 20 30 30 30 22 0a 20 20 20 20 7d 0a 20 20 7d 0a 7d
                                                                                                                                                                                          Data Ascii: address": "Averescu Maresal 8-10, Bucharest, Romania", "country": "RO", "email": "abuse-binbox@rnc.ro", "name": "Abuse contact role object", "network": "81.181.48.0/20", "phone": "+40 378 600 000" } }}


                                                                                                                                                                                          Session IDSource IPSource PortDestination IPDestination Port
                                                                                                                                                                                          8192.168.2.449750104.26.5.15443
                                                                                                                                                                                          TimestampBytes transferredDirectionData
                                                                                                                                                                                          2024-04-18 07:41:47 UTC261OUTGET /demo/home.php?s=81.181.57.52 HTTP/1.1
                                                                                                                                                                                          Connection: Keep-Alive
                                                                                                                                                                                          Content-Type: application/x-www-form-urlencoded
                                                                                                                                                                                          User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/119.0.0.0 Safari/537.36
                                                                                                                                                                                          Host: db-ip.com
                                                                                                                                                                                          2024-04-18 07:41:47 UTC658INHTTP/1.1 200 OK
                                                                                                                                                                                          Date: Thu, 18 Apr 2024 07:41:47 GMT
                                                                                                                                                                                          Content-Type: application/json
                                                                                                                                                                                          Transfer-Encoding: chunked
                                                                                                                                                                                          Connection: close
                                                                                                                                                                                          x-iplb-request-id: AC4547D7:D07E_93878F2E:0050_6620CEBB_89F4667:7B63
                                                                                                                                                                                          x-iplb-instance: 59128
                                                                                                                                                                                          CF-Cache-Status: DYNAMIC
                                                                                                                                                                                          Report-To: {"endpoints":[{"url":"https:\/\/a.nel.cloudflare.com\/report\/v4?s=9gWL6BGmcyohstKpV3KEWuf7Sq%2FK4gp0iulFgz9dQjY%2BRHoIqz4oGExKo%2F%2BM7UKC8O5AQsaCKXiTKWwBOK2idjbAlDllcsD29rkp24ytMky2S0zAsnswudQU%2BQ%3D%3D"}],"group":"cf-nel","max_age":604800}
                                                                                                                                                                                          NEL: {"success_fraction":0,"report_to":"cf-nel","max_age":604800}
                                                                                                                                                                                          Server: cloudflare
                                                                                                                                                                                          CF-RAY: 876303b4ac7a6730-ATL
                                                                                                                                                                                          alt-svc: h3=":443"; ma=86400
                                                                                                                                                                                          2024-04-18 07:41:47 UTC85INData Raw: 34 66 0d 0a 7b 22 73 74 61 74 75 73 22 3a 22 6f 6b 22 2c 22 64 65 6d 6f 49 6e 66 6f 22 3a 7b 22 65 72 72 6f 72 22 3a 22 6f 76 65 72 20 71 75 65 72 79 20 6c 69 6d 69 74 2c 20 70 6c 65 61 73 65 20 74 72 79 20 61 67 61 69 6e 20 6c 61 74 65 72 22 7d 7d 0d 0a
                                                                                                                                                                                          Data Ascii: 4f{"status":"ok","demoInfo":{"error":"over query limit, please try again later"}}
                                                                                                                                                                                          2024-04-18 07:41:47 UTC5INData Raw: 30 0d 0a 0d 0a
                                                                                                                                                                                          Data Ascii: 0


                                                                                                                                                                                          Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                                                                                                                                                                          9192.168.2.449749104.26.5.154435164C:\Users\user\AppData\Local\RageMP131\RageMP131.exe
                                                                                                                                                                                          TimestampBytes transferredDirectionData
                                                                                                                                                                                          2024-04-18 07:41:47 UTC261OUTGET /demo/home.php?s=81.181.57.52 HTTP/1.1
                                                                                                                                                                                          Connection: Keep-Alive
                                                                                                                                                                                          Content-Type: application/x-www-form-urlencoded
                                                                                                                                                                                          User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/119.0.0.0 Safari/537.36
                                                                                                                                                                                          Host: db-ip.com
                                                                                                                                                                                          2024-04-18 07:41:47 UTC658INHTTP/1.1 200 OK
                                                                                                                                                                                          Date: Thu, 18 Apr 2024 07:41:47 GMT
                                                                                                                                                                                          Content-Type: application/json
                                                                                                                                                                                          Transfer-Encoding: chunked
                                                                                                                                                                                          Connection: close
                                                                                                                                                                                          x-iplb-request-id: AC454745:A5AC_93878F2E:0050_6620CEBB_8A21337:4F34
                                                                                                                                                                                          x-iplb-instance: 59215
                                                                                                                                                                                          CF-Cache-Status: DYNAMIC
                                                                                                                                                                                          Report-To: {"endpoints":[{"url":"https:\/\/a.nel.cloudflare.com\/report\/v4?s=YXZNWA1jfKczmYlttbdGmePrznOwNc%2BnXfv%2FDONnsiOh6ze%2BUVIz3hyK01UGetER4TLF%2BRVndsmOk5XlOvV%2FWYxkdNRgRrgvLEVyKJDUUV1p0vgnwG9msLznCw%3D%3D"}],"group":"cf-nel","max_age":604800}
                                                                                                                                                                                          NEL: {"success_fraction":0,"report_to":"cf-nel","max_age":604800}
                                                                                                                                                                                          Server: cloudflare
                                                                                                                                                                                          CF-RAY: 876303b47fac674c-ATL
                                                                                                                                                                                          alt-svc: h3=":443"; ma=86400
                                                                                                                                                                                          2024-04-18 07:41:47 UTC85INData Raw: 34 66 0d 0a 7b 22 73 74 61 74 75 73 22 3a 22 6f 6b 22 2c 22 64 65 6d 6f 49 6e 66 6f 22 3a 7b 22 65 72 72 6f 72 22 3a 22 6f 76 65 72 20 71 75 65 72 79 20 6c 69 6d 69 74 2c 20 70 6c 65 61 73 65 20 74 72 79 20 61 67 61 69 6e 20 6c 61 74 65 72 22 7d 7d 0d 0a
                                                                                                                                                                                          Data Ascii: 4f{"status":"ok","demoInfo":{"error":"over query limit, please try again later"}}
                                                                                                                                                                                          2024-04-18 07:41:47 UTC5INData Raw: 30 0d 0a 0d 0a
                                                                                                                                                                                          Data Ascii: 0


                                                                                                                                                                                          Statistics

                                                                                                                                                                                          CPU Usage

                                                                                                                                                                                          Click to jump to process

                                                                                                                                                                                          Memory Usage

                                                                                                                                                                                          Click to jump to process

                                                                                                                                                                                          High Level Behavior Distribution

                                                                                                                                                                                          Click to dive into process behavior distribution

                                                                                                                                                                                          Behavior

                                                                                                                                                                                          Click to jump to process

                                                                                                                                                                                          System Behavior

                                                                                                                                                                                          General

                                                                                                                                                                                          Target ID:0
                                                                                                                                                                                          Start time:09:41:05
                                                                                                                                                                                          Start date:18/04/2024
                                                                                                                                                                                          Path:C:\Users\user\Desktop\dendy.exe
                                                                                                                                                                                          Wow64 process (32bit):true
                                                                                                                                                                                          Commandline:"C:\Users\user\Desktop\dendy.exe"
                                                                                                                                                                                          Imagebase:0x400000
                                                                                                                                                                                          File size:909'312 bytes
                                                                                                                                                                                          MD5 hash:446F080CD1ED262B4DD0C1FF2143297E
                                                                                                                                                                                          Has elevated privileges:true
                                                                                                                                                                                          Has administrator privileges:true
                                                                                                                                                                                          Programmed in:C, C++ or other language
                                                                                                                                                                                          Yara matches:
                                                                                                                                                                                          • Rule: JoeSecurity_RiseProStealer, Description: Yara detected RisePro Stealer, Source: 00000000.00000002.2501929485.0000000007984000.00000004.00000020.00020000.00000000.sdmp, Author: Joe Security
                                                                                                                                                                                          • Rule: JoeSecurity_CredentialStealer, Description: Yara detected Credential Stealer, Source: 00000000.00000002.2500954846.0000000002EB5000.00000004.00000020.00020000.00000000.sdmp, Author: Joe Security
                                                                                                                                                                                          • Rule: JoeSecurity_RiseProStealer, Description: Yara detected RisePro Stealer, Source: 00000000.00000003.2415493241.0000000007984000.00000004.00000020.00020000.00000000.sdmp, Author: Joe Security
                                                                                                                                                                                          • Rule: JoeSecurity_CredentialStealer, Description: Yara detected Credential Stealer, Source: 00000000.00000003.2415846117.0000000002EB5000.00000004.00000020.00020000.00000000.sdmp, Author: Joe Security
                                                                                                                                                                                          • Rule: JoeSecurity_RiseProStealer, Description: Yara detected RisePro Stealer, Source: 00000000.00000002.2502097335.000000000799A000.00000004.00000020.00020000.00000000.sdmp, Author: Joe Security
                                                                                                                                                                                          • Rule: JoeSecurity_RiseProStealer, Description: Yara detected RisePro Stealer, Source: 00000000.00000003.2415760901.0000000007999000.00000004.00000020.00020000.00000000.sdmp, Author: Joe Security
                                                                                                                                                                                          • Rule: JoeSecurity_RiseProStealer, Description: Yara detected RisePro Stealer, Source: 00000000.00000003.2415493241.0000000007995000.00000004.00000020.00020000.00000000.sdmp, Author: Joe Security
                                                                                                                                                                                          • Rule: Windows_Trojan_RedLineStealer_ed346e4c, Description: unknown, Source: 00000000.00000002.2501230299.000000000300C000.00000040.00000020.00020000.00000000.sdmp, Author: unknown
                                                                                                                                                                                          • Rule: JoeSecurity_RiseProStealer, Description: Yara detected RisePro Stealer, Source: 00000000.00000002.2501387878.0000000004A80000.00000040.00001000.00020000.00000000.sdmp, Author: Joe Security
                                                                                                                                                                                          • Rule: Windows_Trojan_Smokeloader_3687686f, Description: unknown, Source: 00000000.00000002.2501387878.0000000004A80000.00000040.00001000.00020000.00000000.sdmp, Author: unknown
                                                                                                                                                                                          • Rule: JoeSecurity_RiseProStealer, Description: Yara detected RisePro Stealer, Source: 00000000.00000002.2499170949.0000000000400000.00000040.00000001.01000000.00000003.sdmp, Author: Joe Security
                                                                                                                                                                                          • Rule: JoeSecurity_RiseProStealer, Description: Yara detected RisePro Stealer, Source: 00000000.00000003.1719048251.0000000004BD0000.00000004.00001000.00020000.00000000.sdmp, Author: Joe Security
                                                                                                                                                                                          Reputation:low
                                                                                                                                                                                          Has exited:true

                                                                                                                                                                                          General

                                                                                                                                                                                          Target ID:1
                                                                                                                                                                                          Start time:09:41:07
                                                                                                                                                                                          Start date:18/04/2024
                                                                                                                                                                                          Path:C:\Windows\SysWOW64\schtasks.exe
                                                                                                                                                                                          Wow64 process (32bit):true
                                                                                                                                                                                          Commandline:schtasks /create /f /RU "user" /tr "C:\ProgramData\MPGPH131\MPGPH131.exe" /tn "MPGPH131 HR" /sc HOURLY /rl HIGHEST
                                                                                                                                                                                          Imagebase:0xe50000
                                                                                                                                                                                          File size:187'904 bytes
                                                                                                                                                                                          MD5 hash:48C2FE20575769DE916F48EF0676A965
                                                                                                                                                                                          Has elevated privileges:true
                                                                                                                                                                                          Has administrator privileges:true
                                                                                                                                                                                          Programmed in:C, C++ or other language
                                                                                                                                                                                          Reputation:high
                                                                                                                                                                                          Has exited:true

                                                                                                                                                                                          General

                                                                                                                                                                                          Target ID:2
                                                                                                                                                                                          Start time:09:41:07
                                                                                                                                                                                          Start date:18/04/2024
                                                                                                                                                                                          Path:C:\Windows\System32\conhost.exe
                                                                                                                                                                                          Wow64 process (32bit):false
                                                                                                                                                                                          Commandline:C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                                                                                                                                                                                          Imagebase:0x7ff7699e0000
                                                                                                                                                                                          File size:862'208 bytes
                                                                                                                                                                                          MD5 hash:0D698AF330FD17BEE3BF90011D49251D
                                                                                                                                                                                          Has elevated privileges:true
                                                                                                                                                                                          Has administrator privileges:true
                                                                                                                                                                                          Programmed in:C, C++ or other language
                                                                                                                                                                                          Reputation:high
                                                                                                                                                                                          Has exited:true

                                                                                                                                                                                          General

                                                                                                                                                                                          Target ID:3
                                                                                                                                                                                          Start time:09:41:07
                                                                                                                                                                                          Start date:18/04/2024
                                                                                                                                                                                          Path:C:\Windows\SysWOW64\schtasks.exe
                                                                                                                                                                                          Wow64 process (32bit):true
                                                                                                                                                                                          Commandline:schtasks /create /f /RU "user" /tr "C:\ProgramData\MPGPH131\MPGPH131.exe" /tn "MPGPH131 LG" /sc ONLOGON /rl HIGHEST
                                                                                                                                                                                          Imagebase:0xe50000
                                                                                                                                                                                          File size:187'904 bytes
                                                                                                                                                                                          MD5 hash:48C2FE20575769DE916F48EF0676A965
                                                                                                                                                                                          Has elevated privileges:true
                                                                                                                                                                                          Has administrator privileges:true
                                                                                                                                                                                          Programmed in:C, C++ or other language
                                                                                                                                                                                          Reputation:high
                                                                                                                                                                                          Has exited:true

                                                                                                                                                                                          General

                                                                                                                                                                                          Target ID:4
                                                                                                                                                                                          Start time:09:41:07
                                                                                                                                                                                          Start date:18/04/2024
                                                                                                                                                                                          Path:C:\Windows\System32\conhost.exe
                                                                                                                                                                                          Wow64 process (32bit):false
                                                                                                                                                                                          Commandline:C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                                                                                                                                                                                          Imagebase:0x7ff7699e0000
                                                                                                                                                                                          File size:862'208 bytes
                                                                                                                                                                                          MD5 hash:0D698AF330FD17BEE3BF90011D49251D
                                                                                                                                                                                          Has elevated privileges:true
                                                                                                                                                                                          Has administrator privileges:true
                                                                                                                                                                                          Programmed in:C, C++ or other language
                                                                                                                                                                                          Reputation:high
                                                                                                                                                                                          Has exited:true

                                                                                                                                                                                          General

                                                                                                                                                                                          Target ID:7
                                                                                                                                                                                          Start time:09:41:07
                                                                                                                                                                                          Start date:18/04/2024
                                                                                                                                                                                          Path:C:\Windows\SysWOW64\WerFault.exe
                                                                                                                                                                                          Wow64 process (32bit):true
                                                                                                                                                                                          Commandline:C:\Windows\SysWOW64\WerFault.exe -u -p 7028 -s 868
                                                                                                                                                                                          Imagebase:0x2f0000
                                                                                                                                                                                          File size:483'680 bytes
                                                                                                                                                                                          MD5 hash:C31336C1EFC2CCB44B4326EA793040F2
                                                                                                                                                                                          Has elevated privileges:true
                                                                                                                                                                                          Has administrator privileges:true
                                                                                                                                                                                          Programmed in:C, C++ or other language
                                                                                                                                                                                          Reputation:high
                                                                                                                                                                                          Has exited:true

                                                                                                                                                                                          General

                                                                                                                                                                                          Target ID:8
                                                                                                                                                                                          Start time:09:41:08
                                                                                                                                                                                          Start date:18/04/2024
                                                                                                                                                                                          Path:C:\ProgramData\MPGPH131\MPGPH131.exe
                                                                                                                                                                                          Wow64 process (32bit):true
                                                                                                                                                                                          Commandline:C:\ProgramData\MPGPH131\MPGPH131.exe
                                                                                                                                                                                          Imagebase:0x400000
                                                                                                                                                                                          File size:909'312 bytes
                                                                                                                                                                                          MD5 hash:446F080CD1ED262B4DD0C1FF2143297E
                                                                                                                                                                                          Has elevated privileges:true
                                                                                                                                                                                          Has administrator privileges:true
                                                                                                                                                                                          Programmed in:C, C++ or other language
                                                                                                                                                                                          Yara matches:
                                                                                                                                                                                          • Rule: JoeSecurity_RiseProStealer, Description: Yara detected RisePro Stealer, Source: 00000008.00000002.2510972800.0000000007981000.00000004.00000020.00020000.00000000.sdmp, Author: Joe Security
                                                                                                                                                                                          • Rule: Windows_Trojan_RedLineStealer_ed346e4c, Description: unknown, Source: 00000008.00000002.2508449882.0000000002E39000.00000040.00000020.00020000.00000000.sdmp, Author: unknown
                                                                                                                                                                                          • Rule: JoeSecurity_RiseProStealer, Description: Yara detected RisePro Stealer, Source: 00000008.00000002.2510035968.0000000004A60000.00000040.00001000.00020000.00000000.sdmp, Author: Joe Security
                                                                                                                                                                                          • Rule: Windows_Trojan_Smokeloader_3687686f, Description: unknown, Source: 00000008.00000002.2510035968.0000000004A60000.00000040.00001000.00020000.00000000.sdmp, Author: unknown
                                                                                                                                                                                          • Rule: JoeSecurity_CredentialStealer, Description: Yara detected Credential Stealer, Source: 00000008.00000002.2508595887.0000000002F92000.00000004.00000020.00020000.00000000.sdmp, Author: Joe Security
                                                                                                                                                                                          • Rule: JoeSecurity_RiseProStealer, Description: Yara detected RisePro Stealer, Source: 00000008.00000003.1754038237.0000000004BB0000.00000004.00001000.00020000.00000000.sdmp, Author: Joe Security
                                                                                                                                                                                          • Rule: JoeSecurity_RiseProStealer, Description: Yara detected RisePro Stealer, Source: 00000008.00000002.2506460203.0000000000400000.00000040.00000001.01000000.00000005.sdmp, Author: Joe Security
                                                                                                                                                                                          Antivirus matches:
                                                                                                                                                                                          • Detection: 100%, Avira
                                                                                                                                                                                          • Detection: 100%, Joe Sandbox ML
                                                                                                                                                                                          • Detection: 83%, ReversingLabs
                                                                                                                                                                                          • Detection: 71%, Virustotal, Browse
                                                                                                                                                                                          Reputation:low
                                                                                                                                                                                          Has exited:true

                                                                                                                                                                                          General

                                                                                                                                                                                          Target ID:9
                                                                                                                                                                                          Start time:09:41:08
                                                                                                                                                                                          Start date:18/04/2024
                                                                                                                                                                                          Path:C:\ProgramData\MPGPH131\MPGPH131.exe
                                                                                                                                                                                          Wow64 process (32bit):true
                                                                                                                                                                                          Commandline:C:\ProgramData\MPGPH131\MPGPH131.exe
                                                                                                                                                                                          Imagebase:0x400000
                                                                                                                                                                                          File size:909'312 bytes
                                                                                                                                                                                          MD5 hash:446F080CD1ED262B4DD0C1FF2143297E
                                                                                                                                                                                          Has elevated privileges:true
                                                                                                                                                                                          Has administrator privileges:true
                                                                                                                                                                                          Programmed in:C, C++ or other language
                                                                                                                                                                                          Yara matches:
                                                                                                                                                                                          • Rule: JoeSecurity_CredentialStealer, Description: Yara detected Credential Stealer, Source: 00000009.00000002.2342275444.0000000002EF2000.00000004.00000020.00020000.00000000.sdmp, Author: Joe Security
                                                                                                                                                                                          • Rule: JoeSecurity_RiseProStealer, Description: Yara detected RisePro Stealer, Source: 00000009.00000002.2343911888.00000000077F0000.00000004.00000020.00020000.00000000.sdmp, Author: Joe Security
                                                                                                                                                                                          • Rule: Windows_Trojan_RedLineStealer_ed346e4c, Description: unknown, Source: 00000009.00000002.2343201454.0000000002F6D000.00000040.00000020.00020000.00000000.sdmp, Author: unknown
                                                                                                                                                                                          • Rule: JoeSecurity_RiseProStealer, Description: Yara detected RisePro Stealer, Source: 00000009.00000002.2340303087.0000000000400000.00000040.00000001.01000000.00000005.sdmp, Author: Joe Security
                                                                                                                                                                                          • Rule: JoeSecurity_RiseProStealer, Description: Yara detected RisePro Stealer, Source: 00000009.00000003.1754837586.0000000004BC0000.00000004.00001000.00020000.00000000.sdmp, Author: Joe Security
                                                                                                                                                                                          • Rule: JoeSecurity_RiseProStealer, Description: Yara detected RisePro Stealer, Source: 00000009.00000002.2343384935.0000000004A70000.00000040.00001000.00020000.00000000.sdmp, Author: Joe Security
                                                                                                                                                                                          • Rule: Windows_Trojan_Smokeloader_3687686f, Description: unknown, Source: 00000009.00000002.2343384935.0000000004A70000.00000040.00001000.00020000.00000000.sdmp, Author: unknown
                                                                                                                                                                                          Reputation:low
                                                                                                                                                                                          Has exited:true

                                                                                                                                                                                          General

                                                                                                                                                                                          Target ID:12
                                                                                                                                                                                          Start time:09:41:11
                                                                                                                                                                                          Start date:18/04/2024
                                                                                                                                                                                          Path:C:\Windows\SysWOW64\WerFault.exe
                                                                                                                                                                                          Wow64 process (32bit):true
                                                                                                                                                                                          Commandline:C:\Windows\SysWOW64\WerFault.exe -u -p 6688 -s 804
                                                                                                                                                                                          Imagebase:0x2f0000
                                                                                                                                                                                          File size:483'680 bytes
                                                                                                                                                                                          MD5 hash:C31336C1EFC2CCB44B4326EA793040F2
                                                                                                                                                                                          Has elevated privileges:true
                                                                                                                                                                                          Has administrator privileges:true
                                                                                                                                                                                          Programmed in:C, C++ or other language
                                                                                                                                                                                          Reputation:high
                                                                                                                                                                                          Has exited:true

                                                                                                                                                                                          General

                                                                                                                                                                                          Target ID:13
                                                                                                                                                                                          Start time:09:41:11
                                                                                                                                                                                          Start date:18/04/2024
                                                                                                                                                                                          Path:C:\Windows\SysWOW64\WerFault.exe
                                                                                                                                                                                          Wow64 process (32bit):true
                                                                                                                                                                                          Commandline:C:\Windows\SysWOW64\WerFault.exe -u -p 6996 -s 780
                                                                                                                                                                                          Imagebase:0x2f0000
                                                                                                                                                                                          File size:483'680 bytes
                                                                                                                                                                                          MD5 hash:C31336C1EFC2CCB44B4326EA793040F2
                                                                                                                                                                                          Has elevated privileges:true
                                                                                                                                                                                          Has administrator privileges:true
                                                                                                                                                                                          Programmed in:C, C++ or other language
                                                                                                                                                                                          Reputation:high
                                                                                                                                                                                          Has exited:true

                                                                                                                                                                                          General

                                                                                                                                                                                          Target ID:15
                                                                                                                                                                                          Start time:09:41:16
                                                                                                                                                                                          Start date:18/04/2024
                                                                                                                                                                                          Path:C:\Windows\SysWOW64\WerFault.exe
                                                                                                                                                                                          Wow64 process (32bit):true
                                                                                                                                                                                          Commandline:C:\Windows\SysWOW64\WerFault.exe -u -p 7028 -s 952
                                                                                                                                                                                          Imagebase:0x2f0000
                                                                                                                                                                                          File size:483'680 bytes
                                                                                                                                                                                          MD5 hash:C31336C1EFC2CCB44B4326EA793040F2
                                                                                                                                                                                          Has elevated privileges:true
                                                                                                                                                                                          Has administrator privileges:true
                                                                                                                                                                                          Programmed in:C, C++ or other language
                                                                                                                                                                                          Reputation:high
                                                                                                                                                                                          Has exited:true

                                                                                                                                                                                          General

                                                                                                                                                                                          Target ID:17
                                                                                                                                                                                          Start time:09:41:17
                                                                                                                                                                                          Start date:18/04/2024
                                                                                                                                                                                          Path:C:\Windows\SysWOW64\WerFault.exe
                                                                                                                                                                                          Wow64 process (32bit):true
                                                                                                                                                                                          Commandline:C:\Windows\SysWOW64\WerFault.exe -u -p 7028 -s 960
                                                                                                                                                                                          Imagebase:0x2f0000
                                                                                                                                                                                          File size:483'680 bytes
                                                                                                                                                                                          MD5 hash:C31336C1EFC2CCB44B4326EA793040F2
                                                                                                                                                                                          Has elevated privileges:true
                                                                                                                                                                                          Has administrator privileges:true
                                                                                                                                                                                          Programmed in:C, C++ or other language
                                                                                                                                                                                          Reputation:high
                                                                                                                                                                                          Has exited:true

                                                                                                                                                                                          General

                                                                                                                                                                                          Target ID:19
                                                                                                                                                                                          Start time:09:41:18
                                                                                                                                                                                          Start date:18/04/2024
                                                                                                                                                                                          Path:C:\Windows\SysWOW64\WerFault.exe
                                                                                                                                                                                          Wow64 process (32bit):true
                                                                                                                                                                                          Commandline:C:\Windows\SysWOW64\WerFault.exe -u -p 7028 -s 960
                                                                                                                                                                                          Imagebase:0x2f0000
                                                                                                                                                                                          File size:483'680 bytes
                                                                                                                                                                                          MD5 hash:C31336C1EFC2CCB44B4326EA793040F2
                                                                                                                                                                                          Has elevated privileges:true
                                                                                                                                                                                          Has administrator privileges:true
                                                                                                                                                                                          Programmed in:C, C++ or other language
                                                                                                                                                                                          Reputation:high
                                                                                                                                                                                          Has exited:true

                                                                                                                                                                                          General

                                                                                                                                                                                          Target ID:21
                                                                                                                                                                                          Start time:09:41:19
                                                                                                                                                                                          Start date:18/04/2024
                                                                                                                                                                                          Path:C:\Windows\SysWOW64\WerFault.exe
                                                                                                                                                                                          Wow64 process (32bit):true
                                                                                                                                                                                          Commandline:C:\Windows\SysWOW64\WerFault.exe -u -p 7028 -s 960
                                                                                                                                                                                          Imagebase:0x2f0000
                                                                                                                                                                                          File size:483'680 bytes
                                                                                                                                                                                          MD5 hash:C31336C1EFC2CCB44B4326EA793040F2
                                                                                                                                                                                          Has elevated privileges:true
                                                                                                                                                                                          Has administrator privileges:true
                                                                                                                                                                                          Programmed in:C, C++ or other language
                                                                                                                                                                                          Reputation:high
                                                                                                                                                                                          Has exited:true

                                                                                                                                                                                          General

                                                                                                                                                                                          Target ID:24
                                                                                                                                                                                          Start time:09:41:20
                                                                                                                                                                                          Start date:18/04/2024
                                                                                                                                                                                          Path:C:\Windows\SysWOW64\WerFault.exe
                                                                                                                                                                                          Wow64 process (32bit):true
                                                                                                                                                                                          Commandline:C:\Windows\SysWOW64\WerFault.exe -u -p 6688 -s 928
                                                                                                                                                                                          Imagebase:0x2f0000
                                                                                                                                                                                          File size:483'680 bytes
                                                                                                                                                                                          MD5 hash:C31336C1EFC2CCB44B4326EA793040F2
                                                                                                                                                                                          Has elevated privileges:true
                                                                                                                                                                                          Has administrator privileges:true
                                                                                                                                                                                          Programmed in:C, C++ or other language
                                                                                                                                                                                          Reputation:high
                                                                                                                                                                                          Has exited:true

                                                                                                                                                                                          General

                                                                                                                                                                                          Target ID:25
                                                                                                                                                                                          Start time:09:41:20
                                                                                                                                                                                          Start date:18/04/2024
                                                                                                                                                                                          Path:C:\Windows\SysWOW64\WerFault.exe
                                                                                                                                                                                          Wow64 process (32bit):true
                                                                                                                                                                                          Commandline:C:\Windows\SysWOW64\WerFault.exe -u -p 6996 -s 892
                                                                                                                                                                                          Imagebase:0x2f0000
                                                                                                                                                                                          File size:483'680 bytes
                                                                                                                                                                                          MD5 hash:C31336C1EFC2CCB44B4326EA793040F2
                                                                                                                                                                                          Has elevated privileges:true
                                                                                                                                                                                          Has administrator privileges:true
                                                                                                                                                                                          Programmed in:C, C++ or other language
                                                                                                                                                                                          Has exited:true

                                                                                                                                                                                          General

                                                                                                                                                                                          Target ID:26
                                                                                                                                                                                          Start time:09:41:21
                                                                                                                                                                                          Start date:18/04/2024
                                                                                                                                                                                          Path:C:\Users\user\AppData\Local\RageMP131\RageMP131.exe
                                                                                                                                                                                          Wow64 process (32bit):true
                                                                                                                                                                                          Commandline:"C:\Users\user\AppData\Local\RageMP131\RageMP131.exe"
                                                                                                                                                                                          Imagebase:0x400000
                                                                                                                                                                                          File size:909'312 bytes
                                                                                                                                                                                          MD5 hash:446F080CD1ED262B4DD0C1FF2143297E
                                                                                                                                                                                          Has elevated privileges:false
                                                                                                                                                                                          Has administrator privileges:false
                                                                                                                                                                                          Programmed in:C, C++ or other language
                                                                                                                                                                                          Yara matches:
                                                                                                                                                                                          • Rule: JoeSecurity_RiseProStealer, Description: Yara detected RisePro Stealer, Source: 0000001A.00000002.2495191919.000000000305E000.00000004.00000020.00020000.00000000.sdmp, Author: Joe Security
                                                                                                                                                                                          • Rule: Windows_Trojan_RedLineStealer_ed346e4c, Description: unknown, Source: 0000001A.00000002.2495000425.0000000002DAA000.00000040.00000020.00020000.00000000.sdmp, Author: unknown
                                                                                                                                                                                          • Rule: JoeSecurity_CredentialStealer, Description: Yara detected Credential Stealer, Source: 0000001A.00000002.2495191919.000000000312B000.00000004.00000020.00020000.00000000.sdmp, Author: Joe Security
                                                                                                                                                                                          • Rule: JoeSecurity_RiseProStealer, Description: Yara detected RisePro Stealer, Source: 0000001A.00000002.2496030568.0000000007920000.00000004.00000020.00020000.00000000.sdmp, Author: Joe Security
                                                                                                                                                                                          • Rule: JoeSecurity_RiseProStealer, Description: Yara detected RisePro Stealer, Source: 0000001A.00000002.2495613605.0000000004A40000.00000040.00001000.00020000.00000000.sdmp, Author: Joe Security
                                                                                                                                                                                          • Rule: Windows_Trojan_Smokeloader_3687686f, Description: unknown, Source: 0000001A.00000002.2495613605.0000000004A40000.00000040.00001000.00020000.00000000.sdmp, Author: unknown
                                                                                                                                                                                          • Rule: JoeSecurity_RiseProStealer, Description: Yara detected RisePro Stealer, Source: 0000001A.00000002.2493907103.0000000000400000.00000040.00000001.01000000.00000006.sdmp, Author: Joe Security
                                                                                                                                                                                          • Rule: JoeSecurity_RiseProStealer, Description: Yara detected RisePro Stealer, Source: 0000001A.00000003.1896337586.0000000004B90000.00000004.00001000.00020000.00000000.sdmp, Author: Joe Security
                                                                                                                                                                                          Antivirus matches:
                                                                                                                                                                                          • Detection: 83%, ReversingLabs
                                                                                                                                                                                          • Detection: 71%, Virustotal, Browse
                                                                                                                                                                                          Has exited:true

                                                                                                                                                                                          General

                                                                                                                                                                                          Target ID:30
                                                                                                                                                                                          Start time:09:41:23
                                                                                                                                                                                          Start date:18/04/2024
                                                                                                                                                                                          Path:C:\Windows\SysWOW64\WerFault.exe
                                                                                                                                                                                          Wow64 process (32bit):true
                                                                                                                                                                                          Commandline:C:\Windows\SysWOW64\WerFault.exe -u -p 7028 -s 1464
                                                                                                                                                                                          Imagebase:0x2f0000
                                                                                                                                                                                          File size:483'680 bytes
                                                                                                                                                                                          MD5 hash:C31336C1EFC2CCB44B4326EA793040F2
                                                                                                                                                                                          Has elevated privileges:true
                                                                                                                                                                                          Has administrator privileges:true
                                                                                                                                                                                          Programmed in:C, C++ or other language
                                                                                                                                                                                          Has exited:true

                                                                                                                                                                                          General

                                                                                                                                                                                          Target ID:31
                                                                                                                                                                                          Start time:09:41:23
                                                                                                                                                                                          Start date:18/04/2024
                                                                                                                                                                                          Path:C:\Windows\SysWOW64\WerFault.exe
                                                                                                                                                                                          Wow64 process (32bit):true
                                                                                                                                                                                          Commandline:C:\Windows\SysWOW64\WerFault.exe -u -p 6996 -s 924
                                                                                                                                                                                          Imagebase:0x2f0000
                                                                                                                                                                                          File size:483'680 bytes
                                                                                                                                                                                          MD5 hash:C31336C1EFC2CCB44B4326EA793040F2
                                                                                                                                                                                          Has elevated privileges:true
                                                                                                                                                                                          Has administrator privileges:true
                                                                                                                                                                                          Programmed in:C, C++ or other language
                                                                                                                                                                                          Has exited:true

                                                                                                                                                                                          General

                                                                                                                                                                                          Target ID:33
                                                                                                                                                                                          Start time:09:41:23
                                                                                                                                                                                          Start date:18/04/2024
                                                                                                                                                                                          Path:C:\Windows\SysWOW64\WerFault.exe
                                                                                                                                                                                          Wow64 process (32bit):true
                                                                                                                                                                                          Commandline:C:\Windows\SysWOW64\WerFault.exe -u -p 6688 -s 964
                                                                                                                                                                                          Imagebase:0x2f0000
                                                                                                                                                                                          File size:483'680 bytes
                                                                                                                                                                                          MD5 hash:C31336C1EFC2CCB44B4326EA793040F2
                                                                                                                                                                                          Has elevated privileges:true
                                                                                                                                                                                          Has administrator privileges:true
                                                                                                                                                                                          Programmed in:C, C++ or other language
                                                                                                                                                                                          Has exited:true

                                                                                                                                                                                          General

                                                                                                                                                                                          Target ID:36
                                                                                                                                                                                          Start time:09:41:25
                                                                                                                                                                                          Start date:18/04/2024
                                                                                                                                                                                          Path:C:\Windows\SysWOW64\WerFault.exe
                                                                                                                                                                                          Wow64 process (32bit):true
                                                                                                                                                                                          Commandline:C:\Windows\SysWOW64\WerFault.exe -u -p 6996 -s 884
                                                                                                                                                                                          Imagebase:0x2f0000
                                                                                                                                                                                          File size:483'680 bytes
                                                                                                                                                                                          MD5 hash:C31336C1EFC2CCB44B4326EA793040F2
                                                                                                                                                                                          Has elevated privileges:true
                                                                                                                                                                                          Has administrator privileges:true
                                                                                                                                                                                          Programmed in:C, C++ or other language
                                                                                                                                                                                          Has exited:true

                                                                                                                                                                                          General

                                                                                                                                                                                          Target ID:37
                                                                                                                                                                                          Start time:09:41:25
                                                                                                                                                                                          Start date:18/04/2024
                                                                                                                                                                                          Path:C:\Windows\SysWOW64\WerFault.exe
                                                                                                                                                                                          Wow64 process (32bit):true
                                                                                                                                                                                          Commandline:C:\Windows\SysWOW64\WerFault.exe -u -p 7028 -s 1472
                                                                                                                                                                                          Imagebase:0x2f0000
                                                                                                                                                                                          File size:483'680 bytes
                                                                                                                                                                                          MD5 hash:C31336C1EFC2CCB44B4326EA793040F2
                                                                                                                                                                                          Has elevated privileges:true
                                                                                                                                                                                          Has administrator privileges:true
                                                                                                                                                                                          Programmed in:C, C++ or other language
                                                                                                                                                                                          Has exited:true

                                                                                                                                                                                          General

                                                                                                                                                                                          Target ID:40
                                                                                                                                                                                          Start time:09:41:25
                                                                                                                                                                                          Start date:18/04/2024
                                                                                                                                                                                          Path:C:\Windows\SysWOW64\WerFault.exe
                                                                                                                                                                                          Wow64 process (32bit):true
                                                                                                                                                                                          Commandline:C:\Windows\SysWOW64\WerFault.exe -u -p 5164 -s 820
                                                                                                                                                                                          Imagebase:0x2f0000
                                                                                                                                                                                          File size:483'680 bytes
                                                                                                                                                                                          MD5 hash:C31336C1EFC2CCB44B4326EA793040F2
                                                                                                                                                                                          Has elevated privileges:false
                                                                                                                                                                                          Has administrator privileges:false
                                                                                                                                                                                          Programmed in:C, C++ or other language
                                                                                                                                                                                          Has exited:true

                                                                                                                                                                                          Disassembly

                                                                                                                                                                                          Reset < >

                                                                                                                                                                                            Execution Graph

                                                                                                                                                                                            Execution Coverage:24.2%
                                                                                                                                                                                            Dynamic/Decrypted Code Coverage:0%
                                                                                                                                                                                            Signature Coverage:44.5%
                                                                                                                                                                                            Total number of Nodes:2000
                                                                                                                                                                                            Total number of Limit Nodes:99
                                                                                                                                                                                            execution_graph 49869 4a504c 49870 4a5095 49869->49870 49871 4a506c 49869->49871 49873 499540 49871->49873 49874 49955a 49873->49874 49875 499230 6 API calls 49874->49875 49877 49959f 49874->49877 49876 499592 49875->49876 49876->49877 49878 4982c0 6 API calls 49876->49878 49877->49870 49878->49876 50472 422852 25 API calls Concurrency::cancel_current_task 52875 43b65d 52877 43b663 52875->52877 52890 439c64 52875->52890 52876 43b64a lstrlenA 52876->52875 52878 439cfe GetPrivateProfileStringA 52878->52890 52879 4de42b Concurrency::cancel_current_task RaiseException 52880 43b734 52879->52880 52881 4e62d8 22 API calls 52881->52890 52882 4673c0 2 API calls 52882->52890 52883 43b6a3 52883->52879 52884 46a190 RaiseException 52884->52890 52885 4c3160 10 API calls 52885->52890 52886 462610 ___std_exception_copy ___std_exception_copy RaiseException 52886->52890 52887 4a0800 10 API calls 52887->52890 52888 4144e0 14 API calls 52888->52890 52889 4628f0 2 API calls 52889->52890 52890->52876 52890->52878 52890->52881 52890->52882 52890->52883 52890->52884 52890->52885 52890->52886 52890->52887 52890->52888 52890->52889 53027 43ca61 53028 43ca72 FreeLibrary 53027->53028 53029 43ca79 53027->53029 53028->53029 49838 4fa40a 49839 4fa417 49838->49839 49841 4fa423 __dosmaperr 49839->49841 49842 4f4c31 49839->49842 49843 4f4c3e 49842->49843 49844 4f4c49 49842->49844 49845 4f42cd __fread_nolock RtlAllocateHeap 49843->49845 49846 4f4c5a 49844->49846 49847 4f4c51 49844->49847 49850 4f4c46 __dosmaperr 49845->49850 49849 4f4c84 RtlReAllocateHeap 49846->49849 49846->49850 49848 4f4253 __freea 2 API calls 49847->49848 49848->49850 49849->49846 49849->49850 49850->49841 50676 41fa10 50677 41fa17 50676->50677 50677->50676 50678 41fa8b FindFirstFileA 50677->50678 50679 41fd4f 50677->50679 50686 41fac8 50678->50686 50680 41fd1a FindNextFileA 50681 41fd33 GetLastError 50680->50681 50680->50686 50682 41fd46 FindClose 50681->50682 50681->50686 50682->50679 50683 473140 3 API calls 50683->50686 50684 468210 3 API calls 50684->50686 50686->50679 50686->50680 50686->50683 50686->50684 50687 4642a0 ___std_exception_copy ___std_exception_copy RaiseException 50686->50687 50687->50686 53171 414233 53176 41424c 53171->53176 53172 414409 53173 414480 std::_Throw_Cpp_error 53172->53173 53174 414487 std::_Throw_Cpp_error 53173->53174 53175 4144a0 53174->53175 53176->53172 53177 414328 CopyFileA 53176->53177 53178 414341 53177->53178 53181 414353 53177->53181 53183 413f60 GetLastError 53178->53183 53180 414357 53181->53172 53181->53173 53181->53174 53181->53180 53200 472880 ___std_exception_copy ___std_exception_copy RaiseException Concurrency::cancel_current_task 53181->53200 53184 4140d6 CopyFileA 53183->53184 53190 413f9e 53183->53190 53185 414130 53184->53185 53186 4140f0 GetLastError 53184->53186 53185->53181 53187 4140f7 53186->53187 53188 41411c 53186->53188 53189 4140fe CopyFileA 53187->53189 53188->53181 53189->53181 53191 413ffd RmStartSession 53190->53191 53192 4140b1 RmEndSession SetLastError 53191->53192 53193 41401d 53191->53193 53194 4140d0 53192->53194 53195 41402d RmRegisterResources 53193->53195 53194->53184 53196 41405a RmGetList 53195->53196 53197 41409f 53195->53197 53198 414082 53196->53198 53197->53192 53198->53197 53199 414090 RmShutdown 53198->53199 53199->53197 53200->53172 53201 4f363b 53205 4f3648 53201->53205 53202 4f3654 53203 4f3702 53208 4f3731 53203->53208 53205->53202 53205->53203 53218 4f68c4 RtlFreeHeap GetLastError __freea 53205->53218 53209 4f3740 53208->53209 53210 4f37e6 53209->53210 53211 4f3753 53209->53211 53212 4f282c 16 API calls 53210->53212 53213 4f3770 53211->53213 53215 4f3797 53211->53215 53216 4f3713 53212->53216 53214 4f282c 16 API calls 53213->53214 53214->53216 53215->53216 53219 4eb7cf 53215->53219 53218->53203 53220 4eb7e3 53219->53220 53221 4eb627 2 API calls 53220->53221 53222 4eb7f8 53221->53222 53222->53216 52858 4224d9 52861 4224f6 52858->52861 52859 42252f 52860 42259f 52859->52860 52863 4de42b Concurrency::cancel_current_task RaiseException 52859->52863 52861->52859 52862 473140 3 API calls 52861->52862 52873 4228d7 52861->52873 52862->52873 52864 42363e 52863->52864 52865 4673c0 2 API calls 52865->52873 52866 423585 52867 4de42b Concurrency::cancel_current_task RaiseException 52866->52867 52867->52859 52868 4c3160 10 API calls 52868->52873 52869 46a190 RaiseException 52869->52873 52870 462610 ___std_exception_copy ___std_exception_copy RaiseException 52870->52873 52871 4144e0 14 API calls 52871->52873 52872 4628f0 2 API calls 52872->52873 52873->52859 52873->52860 52873->52865 52873->52866 52873->52868 52873->52869 52873->52870 52873->52871 52873->52872 52874 4a0800 10 API calls 52873->52874 52874->52873 52891 4060e0 4 API calls 2 library calls 49752 4a5c88 49753 4a5c98 49752->49753 49757 4a15c6 49753->49757 49758 499230 49753->49758 49755 4a5cb7 49755->49757 49768 499380 49755->49768 49760 499248 49758->49760 49763 49925e 49758->49763 49759 49924c 49759->49755 49760->49759 49775 48db50 49760->49775 49765 499275 49763->49765 49772 4982c0 49763->49772 49764 4992dc 49764->49755 49765->49764 49779 4991c0 49765->49779 49771 499390 49768->49771 49769 49943f 49769->49757 49770 4982c0 6 API calls 49770->49771 49771->49769 49771->49770 49783 496a70 49772->49783 49774 4982dd 49774->49765 49776 48db5b 49775->49776 49777 48dba6 49775->49777 49776->49777 49801 4eaec6 49776->49801 49777->49763 49780 4991e3 49779->49780 49781 4991d7 49779->49781 49780->49755 49782 4982c0 6 API calls 49781->49782 49782->49780 49784 496a88 49783->49784 49785 496a92 49783->49785 49784->49774 49786 496b3d 49785->49786 49787 496ba2 49785->49787 49788 496b1e 49785->49788 49786->49774 49787->49786 49789 496bcf 49787->49789 49799 492490 RtlFreeHeap GetLastError 49787->49799 49788->49786 49793 491300 SetFilePointer 49788->49793 49800 494810 RtlFreeHeap GetLastError 49789->49800 49794 49132a GetLastError 49793->49794 49795 491341 ReadFile 49793->49795 49794->49795 49796 491334 49794->49796 49797 49135c GetLastError 49795->49797 49798 491370 49795->49798 49796->49786 49797->49786 49798->49786 49799->49789 49800->49786 49802 4f4253 __freea 2 API calls 49801->49802 49803 4eaede 49802->49803 49803->49777 50688 45ea9c 50689 45ec8f __ehfuncinfo$??2@YAPAXIABUnothrow_t@std@@ 50688->50689 50690 45eaa6 50688->50690 50691 45eccc 50689->50691 50692 45eaff CreateMutexA 50690->50692 50901 40c490 50691->50901 50694 402990 50692->50694 50695 45eb19 GetLastError 50694->50695 50696 45eb2a 50695->50696 50706 4611db 50695->50706 50697 45eb35 Sleep 50696->50697 50697->50697 50700 45eb41 50697->50700 50698 45ed25 50699 41d840 51 API calls 50698->50699 50712 45ed7c 50699->50712 50701 41e5f0 53 API calls 50700->50701 50702 45eb86 50701->50702 50703 45eba8 Sleep 50702->50703 50704 45ebcb shutdown closesocket WSACleanup 50702->50704 50703->50703 50703->50704 50705 45ebf2 GetPEB 50704->50705 50710 45ec00 50705->50710 50707 45ee57 50917 41ab90 50707->50917 50709 45edb4 GetPEB 50709->50712 50710->50705 50711 45ee67 50715 45ee9d 50711->50715 50717 45ef0a 50711->50717 50712->50707 50712->50709 50713 45ee2d Sleep 50712->50713 50713->50707 50713->50709 50714 41ab90 53 API calls 50714->50715 50715->50714 50716 45eefb Sleep 50715->50716 50716->50711 50716->50717 50718 45f1e0 50717->50718 50719 45f229 OutputDebugStringA 50717->50719 50721 45f203 GetModuleHandleA GetProcAddress 50718->50721 51057 41e7f0 50719->51057 50721->50719 50722 45f21e GetCurrentProcess 50721->50722 50722->50719 50723 45f5c6 51068 41e9d0 50723->51068 50725 45f23b 50725->50723 50726 46a190 RaiseException 50725->50726 50727 45f29a 50726->50727 50727->50723 50728 46a190 RaiseException 50727->50728 50729 45f2e4 50728->50729 51063 46a420 50729->51063 50732 45f31d 50734 46a190 RaiseException 50732->50734 50733 45fe5f 51075 41e750 50733->51075 50736 45f328 50734->50736 50738 46a420 RaiseException 50736->50738 50740 45f32f 50738->50740 50743 46a190 RaiseException 50740->50743 50744 45f365 50743->50744 50746 46a420 RaiseException 50744->50746 50745 45fe96 50747 45fea0 OutputDebugStringA 50745->50747 50748 45f36c 50746->50748 50749 45feb1 50747->50749 50750 46a190 RaiseException 50748->50750 50752 45febb CreateThread CreateThread 50749->50752 50751 45f3ae 50750->50751 50753 46a420 RaiseException 50751->50753 51095 43c800 50752->51095 52087 450430 50752->52087 52332 455fc0 50752->52332 50755 45f3b5 50753->50755 50759 46a190 RaiseException 50755->50759 50756 45fef0 50762 45ff96 50756->50762 51116 43ca90 50756->51116 50757 46a2d0 RaiseException 50806 45f5d0 50757->50806 50761 45f3fe 50759->50761 50760 45ff03 50766 46a190 RaiseException 50760->50766 50763 46a420 RaiseException 50761->50763 50764 46a190 RaiseException 50762->50764 50765 45f405 50763->50765 50768 45ffd4 50764->50768 50773 46a190 RaiseException 50765->50773 50767 45ff38 50766->50767 50769 462d20 3 API calls 50767->50769 50770 462d20 3 API calls 50768->50770 50771 45ff40 50769->50771 50772 45ffe0 50770->50772 50776 46a190 RaiseException 50771->50776 50777 46a190 RaiseException 50772->50777 50774 45f43d 50773->50774 50775 46a420 RaiseException 50774->50775 50779 45f444 50775->50779 50781 45ff77 50776->50781 50782 460018 50777->50782 50778 46a190 RaiseException 50778->50806 50780 46a190 RaiseException 50779->50780 50783 45f488 50780->50783 51365 43ca60 FreeLibrary 50781->51365 50787 460088 WaitForSingleObject GetPEB 50782->50787 50784 46a420 RaiseException 50783->50784 50786 45f48f 50784->50786 50788 46a190 RaiseException 50786->50788 50792 4600a0 GetPEB 50787->50792 50789 45f4bf 50788->50789 50790 46a420 RaiseException 50789->50790 50791 45f4c6 OutputDebugStringA 50790->50791 50793 45f4fa 50791->50793 50800 460140 GetPEB 50792->50800 50795 46a190 RaiseException 50793->50795 50796 45f505 50795->50796 50797 46a420 RaiseException 50796->50797 50798 45f50c 50797->50798 50799 46a190 RaiseException 50798->50799 50801 45f544 50799->50801 50810 4601d7 50800->50810 50802 46a420 RaiseException 50801->50802 50804 45f54b 50802->50804 50805 46a190 RaiseException 50804->50805 50807 45f57e 50805->50807 50806->50733 50806->50757 50806->50778 50808 46a420 RaiseException 50807->50808 50809 45f585 50808->50809 50811 46a190 RaiseException 50809->50811 51139 44f3c0 50810->51139 50812 45f5bf 50811->50812 50814 46a420 RaiseException 50812->50814 50814->50723 50902 40c4be 50901->50902 50903 40c55d RegOpenKeyExA 50902->50903 50904 40c57f RegQueryValueExA 50903->50904 50907 40c606 50903->50907 50906 40c5fd RegCloseKey 50904->50906 50908 40c5db 50904->50908 50906->50907 50909 40c67d GetCurrentHwProfileA 50907->50909 50908->50906 50912 40c691 50909->50912 50911 40c6c5 51373 40bf20 SetupDiGetClassDevsA 50911->51373 51367 40bfc0 50912->51367 50914 40c6e0 50915 468210 3 API calls 50914->50915 50916 40c76b CatchIt 50914->50916 50915->50916 50916->50698 50918 41abd1 50917->50918 50919 4dc8a2 2 API calls 50918->50919 51015 41b1fe 50918->51015 50927 41ac8e 50919->50927 50920 4dc8a2 2 API calls 50925 41b4eb 50920->50925 50921 41d840 51 API calls 50924 41c86c 50921->50924 50922 41c884 GetPEB 50922->50924 50923 41cc43 50926 46a630 25 API calls 50923->50926 50957 41cd85 50923->50957 50924->50922 50924->50923 51375 482190 50925->51375 50931 41ccb6 50926->50931 50929 482190 4 API calls 50927->50929 50932 41ad9b 50929->50932 50930 41b64a 50935 46a630 25 API calls 50930->50935 50938 41b93d 50930->50938 50933 46a190 RaiseException 50931->50933 50931->50957 50937 46a630 25 API calls 50932->50937 50942 41aee3 50932->50942 50934 41cd02 50933->50934 50936 46a2d0 RaiseException 50934->50936 50939 41b688 50935->50939 50943 41cd10 50936->50943 50941 41add9 50937->50941 50945 4dc8a2 2 API calls 50938->50945 51032 41bfa4 50938->51032 50939->50938 50940 46a190 RaiseException 50939->50940 50948 41b6c9 50940->50948 50941->50942 50944 46a190 RaiseException 50941->50944 50946 4dc8a2 2 API calls 50942->50946 50942->51015 50947 46a190 RaiseException 50943->50947 50950 41ae12 50944->50950 50966 41ba33 50945->50966 50979 41afa8 50946->50979 50949 41cd77 50947->50949 50948->50938 50951 46a190 RaiseException 50948->50951 50952 46a2d0 RaiseException 50949->50952 50950->50942 50953 46a190 RaiseException 50950->50953 50954 41b6ff 50951->50954 50952->50957 50955 41ae40 50953->50955 50958 46a190 RaiseException 50954->50958 50956 46a2d0 RaiseException 50955->50956 50964 41ae4e 50956->50964 50957->50711 50961 41b754 50958->50961 50959 4dc8a2 2 API calls 50990 41c096 50959->50990 50960 41b7ed 50962 46a190 RaiseException 50960->50962 50961->50960 50963 46a190 RaiseException 50961->50963 50965 41b864 50962->50965 50967 41b78a 50963->50967 50968 46a190 RaiseException 50964->50968 50969 46a190 RaiseException 50965->50969 50970 482190 4 API calls 50966->50970 50971 46a190 RaiseException 50967->50971 50975 41aeab 50968->50975 50980 41b8a4 50969->50980 50972 41bbab 50970->50972 50973 41b7df 50971->50973 50977 46a630 25 API calls 50972->50977 50972->51032 50974 46a2d0 RaiseException 50973->50974 50974->50960 50975->50942 50976 46a190 RaiseException 50975->50976 50978 41aed5 50976->50978 50986 41bbe9 50977->50986 50981 46a2d0 RaiseException 50978->50981 50982 482190 4 API calls 50979->50982 50980->50938 50983 46a190 RaiseException 50980->50983 50981->50942 50984 41b14f 50982->50984 50985 41b8ef 50983->50985 50987 46a630 25 API calls 50984->50987 50984->51015 50989 46a190 RaiseException 50985->50989 50988 46a190 RaiseException 50986->50988 50986->51032 50995 41b18d 50987->50995 50996 41bc5b 50988->50996 50991 41b92f 50989->50991 50992 482190 4 API calls 50990->50992 50993 46a2d0 RaiseException 50991->50993 50994 41c26b 50992->50994 50993->50938 51000 46a630 25 API calls 50994->51000 51056 41c75d 50994->51056 50997 46a190 RaiseException 50995->50997 50995->51015 50998 46a190 RaiseException 50996->50998 50996->51032 51001 41b1c6 50997->51001 50999 41bcc2 50998->50999 51002 46a190 RaiseException 50999->51002 51004 41c2a9 51000->51004 51003 46a190 RaiseException 51001->51003 51001->51015 51009 41bd33 51002->51009 51005 41b1f0 51003->51005 51007 46a190 RaiseException 51004->51007 51004->51056 51008 46a2d0 RaiseException 51005->51008 51006 41be19 51010 46a190 RaiseException 51006->51010 51014 41c314 51007->51014 51008->51015 51009->51006 51011 46a190 RaiseException 51009->51011 51012 41beaf 51010->51012 51013 41bd9a 51011->51013 51017 46a190 RaiseException 51012->51017 51018 46a190 RaiseException 51013->51018 51016 46a190 RaiseException 51014->51016 51014->51056 51015->50920 51015->51056 51020 41c374 51016->51020 51024 41beef 51017->51024 51019 41be0b 51018->51019 51021 46a2d0 RaiseException 51019->51021 51022 46a190 RaiseException 51020->51022 51020->51056 51021->51006 51023 41c3d4 51022->51023 51027 46a190 RaiseException 51023->51027 51025 46a190 RaiseException 51024->51025 51024->51032 51026 41bf56 51025->51026 51028 46a190 RaiseException 51026->51028 51031 41c430 51027->51031 51029 41bf96 51028->51029 51030 46a2d0 RaiseException 51029->51030 51030->51032 51033 46a190 RaiseException 51031->51033 51031->51056 51032->50959 51032->51056 51034 41c490 51033->51034 51035 46a190 RaiseException 51034->51035 51036 41c4ec 51035->51036 51037 46a190 RaiseException 51036->51037 51036->51056 51038 41c537 51037->51038 51039 46a190 RaiseException 51038->51039 51040 41c57e 51039->51040 51041 46a190 RaiseException 51040->51041 51042 41c5a1 51041->51042 51043 46a190 RaiseException 51042->51043 51042->51056 51044 41c601 51043->51044 51045 46a190 RaiseException 51044->51045 51046 41c65d 51045->51046 51047 46a2d0 RaiseException 51046->51047 51048 41c66b 51047->51048 51049 46a190 RaiseException 51048->51049 51050 41c6e5 51049->51050 51051 46a190 RaiseException 51050->51051 51052 41c72c 51051->51052 51053 46a190 RaiseException 51052->51053 51054 41c74f 51053->51054 51055 46a2d0 RaiseException 51054->51055 51055->51056 51056->50921 51056->50957 51058 41e81e 51057->51058 51059 41d840 51 API calls 51058->51059 51060 41e84f 51059->51060 51061 41e872 51060->51061 51062 41e865 Sleep 51060->51062 51061->50725 51062->51061 51062->51062 51064 45f2eb OutputDebugStringA 51063->51064 51065 46a451 51063->51065 51064->50732 51066 4de42b Concurrency::cancel_current_task RaiseException 51065->51066 51067 46a497 51066->51067 51069 41e9fe 51068->51069 51070 41d840 51 API calls 51069->51070 51071 41ea2f 51070->51071 51072 41ea52 51071->51072 51073 41ea3f 51071->51073 51072->50806 51074 41ea45 Sleep 51073->51074 51074->51072 51074->51074 51076 41e77e 51075->51076 51077 41d840 51 API calls 51076->51077 51078 41e7af 51077->51078 51079 41e7d2 51078->51079 51080 41e7c5 Sleep 51078->51080 51081 41e890 51079->51081 51080->51079 51080->51080 51082 41e8be 51081->51082 51083 41d840 51 API calls 51082->51083 51084 41e8ef 51083->51084 51085 41e912 51084->51085 51086 41e8ff 51084->51086 51088 41e930 51085->51088 51087 41e905 Sleep 51086->51087 51087->51085 51087->51087 51089 41e95e 51088->51089 51090 41d840 51 API calls 51089->51090 51091 41e98f 51090->51091 51092 41e9b2 51091->51092 51093 41e99f 51091->51093 51092->50745 51094 41e9a5 Sleep 51093->51094 51094->51092 51094->51094 51096 43c813 LoadLibraryA 51095->51096 51097 43ca57 51095->51097 51096->51097 51099 43c85b GetProcAddress 51096->51099 51097->50756 51101 43c8b1 51099->51101 51101->51101 51102 43c8be GetProcAddress 51101->51102 51103 43c8f0 51102->51103 51103->51103 51104 43c8fd GetProcAddress 51103->51104 51105 43c930 51104->51105 51105->51105 51106 43c93d GetProcAddress 51105->51106 51107 43c963 51106->51107 51107->51107 51108 43c970 GetProcAddress 51107->51108 51109 43c9a2 51108->51109 51109->51109 51110 43c9af GetProcAddress 51109->51110 51111 43c9e1 51110->51111 51111->51111 51112 43c9ee GetProcAddress 51111->51112 51113 43ca4b FreeLibrary 51112->51113 51114 43ca0d 51112->51114 51113->51097 51114->51113 51115 43ca3e 51114->51115 51115->50756 51136 43cacf 51116->51136 51117 43dcb0 51117->50760 51118 4de42b Concurrency::cancel_current_task RaiseException 51121 43de38 51118->51121 51119 43dd8d 51120 4de42b Concurrency::cancel_current_task RaiseException 51119->51120 51132 43dcda 51120->51132 51122 43dfbf CredEnumerateA 51121->51122 51126 43e8d8 51121->51126 51125 43e7f3 51122->51125 51134 43dfe7 51122->51134 51123 43e7dd 51124 43e7e7 GetPEB 51123->51124 51123->51125 51124->51125 51125->50760 51127 4de42b Concurrency::cancel_current_task RaiseException 51126->51127 51129 43e92e 51127->51129 51128 4680a0 3 API calls 51128->51134 51130 4de42b Concurrency::cancel_current_task RaiseException 51129->51130 51131 43e980 51130->51131 51132->51118 51133 4dc8a2 2 API calls 51133->51134 51134->51123 51134->51126 51134->51128 51134->51129 51134->51133 51134->51134 51137 462610 3 API calls 51134->51137 51135 46a190 RaiseException 51135->51136 51136->51117 51136->51119 51136->51132 51136->51135 51138 462610 ___std_exception_copy ___std_exception_copy RaiseException 51136->51138 51137->51134 51138->51136 51158 44f3f0 51139->51158 51140 4501b6 51607 440c10 51140->51607 51142 4501c8 51143 46a190 RaiseException 51142->51143 51144 450207 51143->51144 51145 462d20 3 API calls 51144->51145 51152 462d20 ___std_exception_copy ___std_exception_copy RaiseException 51152->51158 51153 4628f0 ___std_exception_copy RaiseException 51153->51158 51154 428180 80 API calls 51154->51158 51156 46a190 RaiseException 51156->51158 51158->51140 51158->51152 51158->51153 51158->51154 51158->51156 51415 422360 51158->51415 51438 423670 51158->51438 51455 424730 51158->51455 51507 42b670 51158->51507 51527 42c980 51158->51527 51576 431be0 51158->51576 51365->50762 51368 4debe0 51367->51368 51369 40c039 GetWindowsDirectoryA 51368->51369 51371 40c246 51369->51371 51372 40c056 51369->51372 51370 40c219 GetVolumeInformationA 51370->51371 51371->50911 51372->51370 51372->51371 51374 40bf5e 51373->51374 51374->50914 51376 4821fd 51375->51376 51378 4822cf 51376->51378 51383 482360 51376->51383 51378->50930 51379 482272 51379->51378 51389 481d90 51379->51389 51381 4822b9 51381->51378 51393 481f00 51381->51393 51384 482396 CatchIt 51383->51384 51386 48238d 51383->51386 51385 468210 3 API calls 51384->51385 51384->51386 51387 4825bd 51385->51387 51386->51379 51388 468210 3 API calls 51387->51388 51388->51386 51391 481dc3 51389->51391 51390 481eb9 51390->51381 51391->51390 51407 482710 51391->51407 51394 481f26 51393->51394 51411 482860 51394->51411 51396 481f8f 51397 468210 3 API calls 51396->51397 51398 482042 51397->51398 51399 468210 3 API calls 51398->51399 51400 482107 51398->51400 51399->51398 51401 482360 3 API calls 51400->51401 51402 482146 51400->51402 51403 482272 51401->51403 51402->51378 51403->51402 51404 481d90 3 API calls 51403->51404 51405 4822b9 51404->51405 51405->51402 51406 481f00 4 API calls 51405->51406 51406->51402 51408 482744 51407->51408 51410 48273c 51407->51410 51409 468210 3 API calls 51408->51409 51408->51410 51409->51410 51410->51390 51412 4828af GetLastError 51411->51412 51414 48288f 51411->51414 51412->51414 51414->51396 51414->51414 51416 4223a6 51415->51416 51417 46a190 RaiseException 51416->51417 51418 42240d 51417->51418 51419 422472 SHGetFolderPathA 51418->51419 51420 4224ac 51419->51420 51421 473140 3 API calls 51420->51421 51422 422846 51421->51422 51423 473140 3 API calls 51422->51423 51431 4228d7 51422->51431 51423->51431 51424 42352f 51424->51158 51425 4235da 51431->51424 51431->51425 51439 4236b6 51438->51439 51440 46a190 RaiseException 51439->51440 51441 423727 51440->51441 51442 42378c SHGetFolderPathA 51441->51442 51443 4237c6 51442->51443 51444 473140 3 API calls 51443->51444 51448 4237f3 51443->51448 51444->51448 51445 473140 3 API calls 51454 423bf4 51445->51454 51446 423846 51446->51158 51447 4628f0 ___std_exception_copy RaiseException 51447->51454 51448->51445 51448->51446 51448->51454 51449 4c3160 10 API calls 51449->51454 51450 4144e0 14 API calls 51450->51454 51451 4a0800 10 API calls 51451->51454 51452 46a190 RaiseException 51452->51454 51453 462610 ___std_exception_copy ___std_exception_copy RaiseException 51453->51454 51454->51446 51454->51447 51454->51449 51454->51450 51454->51451 51454->51452 51454->51453 51456 42477d 51455->51456 51457 46a190 RaiseException 51456->51457 51458 4247f6 51457->51458 51459 42485b SHGetFolderPathA 51458->51459 51460 424895 51459->51460 51461 473140 3 API calls 51460->51461 51474 4248c2 51460->51474 51461->51474 51462 473140 3 API calls 51463 424d9c 51462->51463 51464 40b110 22 API calls 51463->51464 51476 42491e 51463->51476 51467 424e8e 51464->51467 51465 42498d 51465->51158 51466 4de42b Concurrency::cancel_current_task RaiseException 51469 428048 51466->51469 51474->51462 51474->51463 51474->51476 51476->51465 51476->51466 51508 42b6b6 51507->51508 51509 46a190 RaiseException 51508->51509 51510 42b71d 51509->51510 51511 42b782 SHGetFolderPathA 51510->51511 51512 42b7bc 51511->51512 51513 473140 3 API calls 51512->51513 51516 42b7e9 51512->51516 51513->51516 51514 473140 3 API calls 51525 42bbfc 51514->51525 51515 42b83f 51515->51158 51516->51514 51516->51515 51516->51525 51517 46a190 RaiseException 51517->51525 51518 4c3160 10 API calls 51518->51525 51519 462610 ___std_exception_copy ___std_exception_copy RaiseException 51519->51525 51520 4144e0 14 API calls 51520->51525 51521 42c90d 51522 4de42b Concurrency::cancel_current_task RaiseException 51521->51522 51522->51515 51523 42c49b __ehfuncinfo$??2@YAPAXIABUnothrow_t@std@@ 51523->51525 51524 4628f0 ___std_exception_copy RaiseException 51524->51525 51525->51515 51525->51517 51525->51518 51525->51519 51525->51520 51525->51521 51525->51523 51525->51524 51526 4a0800 10 API calls 51525->51526 51526->51525 51528 42c9cc 51527->51528 51529 46a190 RaiseException 51528->51529 51530 42ca30 51529->51530 51531 42ca95 SHGetFolderPathA 51530->51531 51532 42cacf 51531->51532 51533 42cf4d 51532->51533 51551 42cafc 51532->51551 51534 473140 3 API calls 51533->51534 51535 42cf3c 51534->51535 51536 473140 3 API calls 51535->51536 51537 42d03e 51535->51537 51540 42cb4f 51535->51540 51536->51537 51538 40b110 22 API calls 51537->51538 51537->51540 51539 468210 3 API calls 51539->51551 51542 4de42b Concurrency::cancel_current_task RaiseException 51540->51542 51549 42cbbf 51540->51549 51543 42eb8a 51542->51543 51549->51158 51551->51535 51551->51539 51551->51540 51577 4debe0 51576->51577 51578 431c4c SHGetFolderPathA 51577->51578 51579 431c85 51578->51579 51580 473140 3 API calls 51579->51580 51594 431cb2 51579->51594 51580->51594 51581 473140 3 API calls 51582 4320f3 51581->51582 51583 40ab40 37 API calls 51582->51583 51584 4321a9 51583->51584 51585 46a630 25 API calls 51584->51585 51605 43237f CatchIt 51584->51605 51586 43222c 51585->51586 51587 431d05 51587->51158 51592 40ab40 37 API calls 51592->51605 51594->51581 51594->51582 51594->51587 51597 46a630 25 API calls 51597->51605 51602 46a190 RaiseException 51602->51605 51603 402f50 3 API calls 51603->51605 51604 46a2d0 RaiseException 51604->51605 51605->51587 51605->51592 51605->51597 51605->51602 51605->51603 51605->51604 51640 431430 51605->51640 51608 440c56 51607->51608 51609 46a190 RaiseException 51608->51609 51611 440cbc 51609->51611 51610 440d2c RegOpenKeyExA 51610->51611 51624 440d69 CatchIt 51610->51624 51611->51610 51614 441d66 51611->51614 51612 440d83 RegEnumKeyA 51613 441d30 RegCloseKey 51612->51613 51612->51624 51613->51611 51614->51142 51615 440db0 RegOpenKeyExA 51615->51624 51616 441d02 RegEnumKeyA 51616->51613 51616->51615 51617 440e9d RegQueryValueExA 51618 441ce6 RegCloseKey 51617->51618 51617->51624 51618->51624 51619 440fcd RegQueryValueExA 51619->51624 51620 4410e0 RegQueryValueExA 51620->51624 51621 441d7c 51622 4de42b Concurrency::cancel_current_task RaiseException 51621->51622 51623 441dd1 51622->51623 51624->51612 51624->51615 51624->51616 51624->51617 51624->51618 51624->51619 51624->51620 51624->51621 51624->51623 51625 4dc8a2 ___std_exception_copy RaiseException 51624->51625 51626 46a190 RaiseException 51624->51626 51627 462610 3 API calls 51624->51627 51625->51624 51626->51624 51627->51624 52133 450453 52087->52133 52088 455fa6 52090 450577 52091 455430 52090->52091 52092 450643 52090->52092 52729 42eb90 52090->52729 52096 455506 52091->52096 52094 4506a2 52092->52094 52093 42eb90 26 API calls 52093->52096 52095 42eb90 26 API calls 52094->52095 52097 45074e 52095->52097 52096->52093 52101 455644 52096->52101 52099 4507b0 52097->52099 52098 42eb90 26 API calls 52098->52101 52100 42eb90 26 API calls 52099->52100 52102 450869 52100->52102 52101->52098 52106 455755 52101->52106 52104 4508cb 52102->52104 52103 42eb90 26 API calls 52103->52106 52105 42eb90 26 API calls 52104->52105 52107 450970 52105->52107 52106->52103 52111 455870 52106->52111 52109 4509d2 52107->52109 52108 42eb90 26 API calls 52108->52111 52110 42eb90 26 API calls 52109->52110 52112 450a88 52110->52112 52111->52108 52116 45596e 52111->52116 52114 450aea 52112->52114 52113 42eb90 26 API calls 52113->52116 52115 42eb90 26 API calls 52114->52115 52117 450ba0 52115->52117 52116->52113 52121 455a82 52116->52121 52119 450c02 52117->52119 52118 42eb90 26 API calls 52118->52121 52120 42eb90 26 API calls 52119->52120 52122 450cb1 52120->52122 52121->52118 52126 455b98 52121->52126 52124 450d13 52122->52124 52123 42eb90 26 API calls 52123->52126 52125 42eb90 26 API calls 52124->52125 52127 450dab 52125->52127 52126->52123 52131 455cb5 52126->52131 52129 450e0d 52127->52129 52128 42eb90 26 API calls 52128->52131 52131->52128 52131->52133 52133->52088 52133->52090 52134 42eb90 26 API calls 52133->52134 52134->52133 52342 455fe6 52332->52342 52333 456486 52337 4628f0 ___std_exception_copy RaiseException 52337->52342 52339 46a190 RaiseException 52339->52342 52340 462d20 ___std_exception_copy ___std_exception_copy RaiseException 52340->52342 52342->52333 52342->52337 52342->52339 52342->52340 52745 434b20 52342->52745 52780 4378a0 52342->52780 52804 438770 52342->52804 52829 439a80 52342->52829 52836 43b750 52342->52836 52730 4debe0 52729->52730 52731 42ebda SHGetFolderPathA 52730->52731 52732 42ec11 52731->52732 52733 42f62e 52732->52733 52739 42ec2f 52732->52739 52734 473140 3 API calls 52733->52734 52735 42f620 52734->52735 52736 473140 3 API calls 52735->52736 52744 42f6cd 52735->52744 52736->52744 52737 42ec84 52737->52090 52738 468210 ___std_exception_copy ___std_exception_copy RaiseException 52738->52739 52739->52735 52739->52737 52739->52738 52743 40b110 22 API calls 52739->52743 52740 468210 3 API calls 52740->52744 52741 40b110 22 API calls 52741->52744 52742 472400 ___std_exception_copy ___std_exception_copy RaiseException 52742->52744 52743->52739 52744->52737 52744->52740 52744->52741 52744->52742 52746 434b42 52745->52746 52746->52746 52747 46a190 RaiseException 52746->52747 52748 434bcd 52747->52748 52749 434c2f SHGetFolderPathA 52748->52749 52750 434c5c 52749->52750 52751 434cc2 GetPrivateProfileSectionNamesA 52750->52751 52771 434d00 CatchIt 52751->52771 52752 437777 lstrlenA 52755 437790 52752->52755 52752->52771 52753 434d9e GetPrivateProfileStringA 52753->52771 52754 437897 52755->52342 52756 40ab40 37 API calls 52756->52771 52757 46a630 25 API calls 52757->52771 52758 4c3160 10 API calls 52758->52771 52759 4144e0 14 API calls 52759->52771 52760 4a0800 10 API calls 52760->52771 52761 462d20 ___std_exception_copy ___std_exception_copy RaiseException 52761->52771 52762 40b1a0 GetFileAttributesA GetLastError std::_Throw_Cpp_error std::_Throw_Cpp_error 52762->52771 52763 4dc8a2 ___std_exception_copy RaiseException 52763->52771 52764 4367ef CreateDirectoryA 52764->52771 52765 4377e8 52769 4de42b Concurrency::cancel_current_task RaiseException 52765->52769 52766 43783d 52768 4de42b Concurrency::cancel_current_task RaiseException 52766->52768 52767 468210 ___std_exception_copy ___std_exception_copy RaiseException 52767->52771 52768->52754 52769->52766 52770 436b60 CreateDirectoryA 52770->52771 52771->52752 52771->52753 52771->52754 52771->52756 52771->52757 52771->52758 52771->52759 52771->52760 52771->52761 52771->52762 52771->52763 52771->52764 52771->52765 52771->52766 52771->52767 52771->52770 52772 40b110 22 API calls 52771->52772 52773 46a190 RaiseException 52771->52773 52774 46a2d0 RaiseException 52771->52774 52775 462610 ___std_exception_copy ___std_exception_copy RaiseException 52771->52775 52776 434730 ___std_exception_copy ___std_exception_copy RaiseException 52771->52776 52777 4ea858 18 API calls 52771->52777 52778 4629d0 ___std_exception_copy ___std_exception_copy RaiseException 52771->52778 52779 4e62d8 22 API calls 52771->52779 52772->52771 52773->52771 52774->52771 52775->52771 52776->52771 52777->52771 52778->52771 52779->52771 52781 4378c2 52780->52781 52781->52781 52782 46a190 RaiseException 52781->52782 52783 43794c 52782->52783 52784 437996 SHGetFolderPathA 52783->52784 52785 4379c3 52784->52785 52786 437a2d GetPrivateProfileSectionNamesA 52785->52786 52803 437a70 52786->52803 52787 43865a lstrlenA 52789 438673 52787->52789 52787->52803 52788 437af1 GetPrivateProfileStringA 52788->52803 52789->52342 52790 4386b3 52791 4de42b Concurrency::cancel_current_task RaiseException 52790->52791 52792 438712 52791->52792 52794 4de42b Concurrency::cancel_current_task RaiseException 52792->52794 52793 4e62d8 22 API calls 52793->52803 52795 438767 52794->52795 52796 4673c0 2 API calls 52796->52803 52797 4c3160 10 API calls 52797->52803 52798 462610 ___std_exception_copy ___std_exception_copy RaiseException 52798->52803 52799 4a0800 10 API calls 52799->52803 52800 4144e0 14 API calls 52800->52803 52801 46a190 RaiseException 52801->52803 52802 4628f0 2 API calls 52802->52803 52803->52787 52803->52788 52803->52790 52803->52792 52803->52793 52803->52796 52803->52797 52803->52798 52803->52799 52803->52800 52803->52801 52803->52802 52805 438792 52804->52805 52805->52805 52806 46a190 RaiseException 52805->52806 52807 438835 52806->52807 52808 438891 SHGetFolderPathA 52807->52808 52809 4388be 52808->52809 52810 438923 GetPrivateProfileSectionNamesA 52809->52810 52828 438960 52810->52828 52811 439983 lstrlenA 52813 43999c 52811->52813 52811->52828 52812 4389e1 GetPrivateProfileStringA 52812->52828 52813->52342 52814 4399dc 52815 4de42b Concurrency::cancel_current_task RaiseException 52814->52815 52816 439a40 52815->52816 52817 4e62d8 22 API calls 52817->52828 52818 4673c0 2 API calls 52818->52828 52819 46a190 RaiseException 52819->52828 52820 4c3160 10 API calls 52820->52828 52821 462610 ___std_exception_copy ___std_exception_copy RaiseException 52821->52828 52822 4144e0 14 API calls 52822->52828 52823 46ec40 3 API calls 52823->52828 52824 468210 3 API calls 52824->52828 52825 4dc8a2 2 API calls 52825->52828 52826 4628f0 2 API calls 52826->52828 52827 4a0800 10 API calls 52827->52828 52828->52811 52828->52812 52828->52814 52828->52817 52828->52818 52828->52819 52828->52820 52828->52821 52828->52822 52828->52823 52828->52824 52828->52825 52828->52826 52828->52827 52830 439aa2 52829->52830 52831 46a190 RaiseException 52830->52831 52832 439b34 52831->52832 52833 439b96 SHGetFolderPathA 52832->52833 52834 439bc3 52833->52834 52835 439c2e GetPrivateProfileSectionNamesA 52834->52835 52837 43b772 52836->52837 52837->52837 52838 46a190 RaiseException 52837->52838 52839 43b7fd 52838->52839 52840 43b850 SHGetFolderPathA 52839->52840 52841 43b87d 52840->52841 52842 43b8e2 GetPrivateProfileSectionNamesA 52841->52842 52849 43b920 52842->52849 52843 43c79a lstrlenA 52845 43c7b3 52843->52845 52843->52849 52844 43b9a1 GetPrivateProfileStringA 52844->52849 52845->52342 52846 43c7f3 52847 4e62d8 22 API calls 52847->52849 52848 4628f0 ___std_exception_copy RaiseException 52848->52849 52849->52843 52849->52844 52849->52846 52849->52847 52849->52848 52850 462610 ___std_exception_copy ___std_exception_copy RaiseException 52849->52850 52851 4144e0 14 API calls 52849->52851 52852 46ec40 3 API calls 52849->52852 52853 468210 3 API calls 52849->52853 52854 4c3160 10 API calls 52849->52854 52855 46a190 RaiseException 52849->52855 52856 43c4e2 __ehfuncinfo$??2@YAPAXIABUnothrow_t@std@@ 52849->52856 52857 4a0800 10 API calls 52849->52857 52850->52849 52851->52849 52852->52849 52853->52849 52854->52849 52855->52849 52856->52849 52857->52849 53023 4a40ab 53024 4a40c8 53023->53024 53026 4a15c6 53023->53026 53025 498900 10 API calls 53024->53025 53025->53026 53050 4a46a2 53051 4a46b7 53050->53051 53055 4a4750 53051->53055 53056 4983e0 53051->53056 53053 4a46f5 53054 498900 10 API calls 53053->53054 53053->53055 53054->53055 53058 4983fd 53056->53058 53057 498555 53057->53053 53058->53057 53066 49846f 53058->53066 53068 496080 53058->53068 53059 48db50 2 API calls 53061 498539 53059->53061 53063 48db50 2 API calls 53061->53063 53062 498457 53062->53066 53086 4959b0 53062->53086 53064 498542 53063->53064 53064->53053 53066->53059 53067 498504 53066->53067 53067->53053 53074 4960b4 53068->53074 53069 496144 53070 496436 53069->53070 53073 496172 CatchIt 53069->53073 53072 48db50 2 API calls 53070->53072 53071 49643c 53071->53062 53072->53071 53075 49620b 53073->53075 53080 48db50 2 API calls 53073->53080 53074->53069 53074->53071 53076 49612d 53074->53076 53083 49624e 53075->53083 53091 491c30 53075->53091 53115 491d10 53075->53115 53077 48db50 2 API calls 53076->53077 53078 496138 53077->53078 53078->53062 53079 48db50 2 API calls 53081 49642a 53079->53081 53080->53075 53081->53062 53082 496306 53082->53062 53083->53079 53083->53082 53087 4959c6 53086->53087 53088 4959f3 53087->53088 53090 491300 4 API calls 53087->53090 53088->53066 53089 4959e1 53089->53066 53090->53089 53093 491c4c 53091->53093 53092 491c7a 53092->53083 53093->53092 53094 491d2e CreateFileA 53093->53094 53095 491d26 CreateFileW 53093->53095 53096 491d34 53094->53096 53095->53096 53097 491d3b 53096->53097 53098 491d7a 53096->53098 53099 4eaec6 __freea 2 API calls 53097->53099 53141 492080 53098->53141 53101 491d44 53099->53101 53102 491d6e 53101->53102 53104 491c30 7 API calls 53101->53104 53102->53083 53103 491ea0 53106 4eaec6 __freea 2 API calls 53103->53106 53105 491d64 53104->53105 53105->53083 53106->53092 53108 491e81 GetDiskFreeSpaceA 53110 491e98 53108->53110 53109 491dcc 53109->53103 53111 491e20 GetDiskFreeSpaceW 53109->53111 53113 491e64 53109->53113 53114 4eaec6 __freea 2 API calls 53110->53114 53111->53110 53112 491e7c 53112->53108 53113->53108 53113->53112 53114->53103 53116 491d19 53115->53116 53117 491d3d 53115->53117 53118 491d2e CreateFileA 53116->53118 53119 491d26 CreateFileW 53116->53119 53120 491d44 53117->53120 53121 4eaec6 __freea 2 API calls 53117->53121 53122 491d34 53118->53122 53119->53122 53123 491d6e 53120->53123 53125 491c30 11 API calls 53120->53125 53121->53120 53124 491d3b 53122->53124 53126 491d7a 53122->53126 53123->53083 53127 4eaec6 __freea 2 API calls 53124->53127 53128 491d64 53125->53128 53129 492080 7 API calls 53126->53129 53127->53120 53128->53083 53135 491dcc 53129->53135 53130 491ea0 53131 4eaec6 __freea 2 API calls 53130->53131 53132 491ebe 53131->53132 53132->53083 53134 491e81 GetDiskFreeSpaceA 53136 491e98 53134->53136 53135->53130 53137 491e20 GetDiskFreeSpaceW 53135->53137 53139 491e64 53135->53139 53140 4eaec6 __freea 2 API calls 53136->53140 53137->53136 53138 491e7c 53138->53134 53139->53134 53139->53138 53140->53130 53142 492094 53141->53142 53143 4920ca 53142->53143 53144 4920a0 GetVersionExA 53142->53144 53145 49210f GetFullPathNameA 53143->53145 53146 4920d6 GetFullPathNameW 53143->53146 53144->53143 53148 49211e 53145->53148 53147 4920e8 53146->53147 53149 4920f1 GetFullPathNameW 53147->53149 53150 492127 53147->53150 53148->53150 53151 49213c GetFullPathNameA 53148->53151 53153 4eaec6 __freea 2 API calls 53149->53153 53154 4eaec6 __freea 2 API calls 53150->53154 53152 4eaec6 __freea 2 API calls 53151->53152 53156 492102 53152->53156 53153->53156 53155 49212d 53154->53155 53155->53109 53157 4eaec6 __freea 2 API calls 53156->53157 53158 49215f 53157->53158 53158->53155 53159 4eaec6 __freea 2 API calls 53158->53159 53160 492180 53159->53160 53160->53109 53161 4202aa 78 API calls 2 library calls 53231 4f3eb8 53232 4f3ece 53231->53232 53234 4f3ef7 53232->53234 53235 4ebee3 53232->53235 53238 4eb88b 53235->53238 53237 4ebefe 53237->53234 53239 4eb897 53238->53239 53241 4eb89e __dosmaperr 53239->53241 53242 4ebe75 53239->53242 53241->53237 53243 4e63d7 __wsopen_s 5 API calls 53242->53243 53244 4ebe97 53243->53244 53245 4e63ba __wsopen_s 5 API calls 53244->53245 53247 4ebea4 53245->53247 53246 4ebeab 53249 4ebedd 53246->53249 53250 4f4253 __freea 2 API calls 53246->53250 53247->53246 53251 4ebf03 53247->53251 53249->53241 53250->53249 53252 4ebf20 53251->53252 53262 4ebf35 __dosmaperr 53252->53262 53269 4ebbbc CreateFileW 53252->53269 53254 4ec029 GetFileType 53255 4ec034 GetLastError 53254->53255 53263 4ec07b 53254->53263 53271 4ea8d5 __dosmaperr 53255->53271 53256 4ebffe GetLastError 53256->53262 53257 4ebfac 53257->53254 53257->53256 53270 4ebbbc CreateFileW 53257->53270 53260 4ec042 CloseHandle 53260->53262 53268 4ec06b __dosmaperr 53260->53268 53261 4ebff1 53261->53254 53261->53256 53262->53246 53263->53262 53264 4ec1a7 CloseHandle 53263->53264 53272 4ebbbc CreateFileW 53264->53272 53266 4ec1d2 53267 4ec1dc GetLastError 53266->53267 53266->53268 53267->53268 53268->53262 53269->53257 53270->53261 53271->53260 53272->53266 53273 4b3cb0 53274 4b3cdb 53273->53274 53275 4b3cd2 CatchIt 53273->53275 53275->53274 53277 4b3e4a 53275->53277 53280 48dd90 53275->53280 53277->53274 53278 48db50 2 API calls 53277->53278 53279 4b3edd 53278->53279 53281 48dda5 53280->53281 53287 48de2b 53280->53287 53282 48dda9 53281->53282 53283 48de8e 53281->53283 53286 48de1d CatchIt 53281->53286 53282->53277 53284 48de97 53283->53284 53290 48dc20 53283->53290 53284->53277 53286->53287 53288 48db50 2 API calls 53286->53288 53287->53277 53289 48de84 53288->53289 53289->53277 53291 48dc44 53290->53291 53292 48dc34 53290->53292 53293 48db50 2 API calls 53291->53293 53294 48dc4e 53291->53294 53292->53287 53293->53294 53294->53287 49700 4ec94e 49703 4ec782 49700->49703 49704 4ec7af 49703->49704 49710 4ec7c0 49703->49710 49704->49710 49723 4ec863 GetModuleHandleExW 49704->49723 49706 4ec7fe 49707 4ec7f8 49707->49706 49716 4ec819 49707->49716 49712 4ec613 49710->49712 49713 4ec61f 49712->49713 49729 4ec69a 49713->49729 49715 4ec636 49715->49707 49748 4ec84a 49716->49748 49718 4ec823 49719 4ec837 49718->49719 49720 4ec827 GetCurrentProcess TerminateProcess 49718->49720 49721 4ec863 3 API calls 49719->49721 49720->49719 49722 4ec83f ExitProcess 49721->49722 49724 4ec8a2 GetProcAddress 49723->49724 49725 4ec8c3 49723->49725 49724->49725 49728 4ec8b6 49724->49728 49726 4ec8c9 FreeLibrary 49725->49726 49727 4ec8d2 49725->49727 49726->49727 49727->49710 49728->49725 49730 4ec6a6 49729->49730 49731 4ec70a 49730->49731 49733 4ef889 __EH_prolog3 49730->49733 49731->49715 49736 4ef5e1 49733->49736 49735 4ef8bc 49735->49731 49737 4ef5ed 49736->49737 49740 4ef799 49737->49740 49739 4ef608 49739->49735 49741 4ef7b0 49740->49741 49742 4ef7b8 49740->49742 49741->49739 49742->49741 49744 4f4253 49742->49744 49745 4f425e RtlFreeHeap 49744->49745 49747 4f4280 __dosmaperr 49744->49747 49746 4f4273 GetLastError 49745->49746 49745->49747 49746->49747 49747->49741 49751 4f83d6 LoadLibraryExW GetLastError LoadLibraryExW FreeLibrary GetProcAddress 49748->49751 49750 4ec84f 49750->49718 49751->49750 49851 4a5d4f 49852 4a5d60 49851->49852 49854 4a15c6 49851->49854 49852->49854 49855 499a00 49852->49855 49856 499a14 49855->49856 49857 499a7e 49856->49857 49858 499b54 49856->49858 49861 499a27 49856->49861 49859 499a83 49857->49859 49864 499ad0 49857->49864 49860 499380 6 API calls 49858->49860 49858->49861 49862 4991c0 6 API calls 49859->49862 49860->49861 49861->49854 49863 499ab0 49862->49863 49863->49861 49865 499380 6 API calls 49863->49865 49864->49861 49867 499a00 6 API calls 49864->49867 49866 499abf 49865->49866 49866->49854 49868 499b3a 49867->49868 49868->49854 49879 41ff09 49889 41ff23 49879->49889 49881 420327 49884 41ff5c 49881->49884 49920 40b110 49881->49920 49882 41ffcc 49884->49882 49998 4de42b 49884->49998 49886 420404 49887 40b110 22 API calls 49886->49887 49888 420479 49886->49888 49887->49888 49888->49884 49924 40ab40 49888->49924 49889->49881 49889->49884 49962 473140 49889->49962 49891 422304 49892 4de42b Concurrency::cancel_current_task RaiseException 49891->49892 49894 422359 49892->49894 49893 420578 49916 42075f CatchIt 49893->49916 49938 46a630 49893->49938 49896 420613 49975 46a190 49896->49975 49898 420651 49899 46a190 RaiseException 49898->49899 49898->49916 49900 420691 49899->49900 49902 46a190 RaiseException 49900->49902 49901 40b110 22 API calls 49901->49916 49903 4206d1 49902->49903 49904 46a190 RaiseException 49903->49904 49903->49916 49905 420711 49904->49905 49906 46a190 RaiseException 49905->49906 49907 420751 49906->49907 49979 46a2d0 49907->49979 49909 40ab40 37 API calls 49909->49916 49910 46a630 25 API calls 49910->49916 49911 46a190 RaiseException 49911->49916 49913 46a2d0 RaiseException 49913->49916 49915 4a0800 10 API calls 49915->49916 49916->49882 49916->49884 49916->49891 49916->49901 49916->49909 49916->49910 49916->49911 49916->49913 49916->49915 49917 402f50 ___std_exception_copy ___std_exception_copy RaiseException 49916->49917 49942 4c3160 49916->49942 49949 4144e0 49916->49949 49984 4dc8a2 49916->49984 49989 462610 49916->49989 49917->49916 49921 40b140 49920->49921 49923 40b174 49921->49923 50001 4e62d8 49921->50001 49923->49886 49925 40abb0 49924->49925 49928 40ac49 49925->49928 50092 4e6826 49925->50092 49927 40abec 50096 4e25db 49927->50096 49928->49893 49930 40abf2 49931 4e6826 18 API calls 49930->49931 49932 40ac00 49931->49932 49934 40ac0a 49932->49934 50100 4680a0 49932->50100 50105 4eb2cf 49934->50105 49937 4e62d8 22 API calls 49937->49928 49939 46a679 49938->49939 50180 46ca20 49939->50180 49941 46a6ef 49941->49896 49943 4c3289 49942->49943 49945 4c3185 49942->49945 49943->49916 49945->49943 50275 4c2ba0 49945->50275 49946 4c326a 49946->49916 49947 4c2ba0 10 API calls 49947->49946 49948 4c31b9 49948->49946 49948->49947 49950 414513 49949->49950 49951 414673 std::_Throw_Cpp_error 49950->49951 49952 41451e 49950->49952 49953 41467a std::_Throw_Cpp_error 49951->49953 49952->49953 49957 41452e 49952->49957 49954 41458f 49955 4d9e00 2 API calls 49954->49955 49961 414599 49955->49961 49956 4145c1 50372 4d9e00 49956->50372 49957->49954 49957->49956 49959 4145c8 50389 4e648e 49959->50389 49961->49916 49963 4731a2 49962->49963 49971 473205 49962->49971 49964 4732bf 49963->49964 49966 4731f4 49963->49966 49967 47321b 49963->49967 50435 4022f0 ___std_exception_copy RaiseException Concurrency::cancel_current_task 49964->50435 49966->49964 49968 4731ff 49966->49968 49969 4dc8a2 2 API calls 49967->49969 49974 473210 49967->49974 49970 4dc8a2 2 API calls 49968->49970 49969->49974 49970->49971 49972 4de42b Concurrency::cancel_current_task RaiseException 49971->49972 49971->49974 49973 4732f1 49972->49973 49974->49881 49976 46a1b4 49975->49976 49977 4de42b Concurrency::cancel_current_task RaiseException 49976->49977 49978 46a1d6 49976->49978 49977->49978 49978->49898 49980 46a335 49979->49980 49981 46a363 49979->49981 49980->49916 49982 4de42b Concurrency::cancel_current_task RaiseException 49981->49982 49983 46a3a9 49982->49983 49985 4022f0 Concurrency::cancel_current_task 49984->49985 49986 4dc8c1 49985->49986 49987 4de42b Concurrency::cancel_current_task RaiseException 49985->49987 49986->49916 49988 40230c ___std_exception_copy 49987->49988 49988->49916 49990 462634 49989->49990 49992 462638 49989->49992 49991 462696 49990->49991 49990->49992 49996 4de42b Concurrency::cancel_current_task RaiseException 49991->49996 49995 46267d 49992->49995 50436 462d20 49992->50436 49994 462668 49994->49916 49995->49916 49997 4626dc 49996->49997 49999 4de472 RaiseException 49998->49999 50000 4de445 49998->50000 49999->49891 50000->49999 50002 4e62eb 50001->50002 50005 4e61b3 50002->50005 50004 4e62f7 50004->49923 50006 4e61bf 50005->50006 50010 4e61c9 50006->50010 50013 4ea480 EnterCriticalSection 50006->50013 50008 4e620a 50014 4e624a 50008->50014 50010->50004 50011 4e6217 50024 4e6242 LeaveCriticalSection 50011->50024 50013->50008 50015 4e627a 50014->50015 50017 4e6257 50014->50017 50015->50017 50025 4e2cc1 50015->50025 50017->50011 50020 4e629a 50033 4f1ee0 50020->50033 50022 4e62ad 50022->50017 50023 4f4253 __freea 2 API calls 50022->50023 50023->50017 50024->50010 50026 4e2cda 50025->50026 50028 4e2d01 50025->50028 50026->50028 50037 4f282c 50026->50037 50029 4f428d 50028->50029 50030 4f42b6 50029->50030 50031 4f42a4 50029->50031 50030->50020 50031->50030 50032 4f4253 __freea 2 API calls 50031->50032 50032->50030 50034 4f1ef1 50033->50034 50035 4f1f09 50033->50035 50034->50022 50035->50034 50083 4f1e4f 50035->50083 50038 4f2838 50037->50038 50039 4f2840 50038->50039 50041 4f293d 50038->50041 50039->50028 50042 4f2965 50041->50042 50065 4f2969 50041->50065 50043 4f29e2 50042->50043 50042->50065 50066 4eb86d 50042->50066 50069 4f2482 50043->50069 50047 4f29fa 50049 4f2a29 50047->50049 50050 4f2a02 50047->50050 50048 4f2a41 50051 4f2aaa WriteFile 50048->50051 50052 4f2a55 50048->50052 50074 4f2053 GetConsoleOutputCP WriteFile WriteFile GetLastError CatchIt 50049->50074 50050->50065 50073 4f241a GetLastError 50050->50073 50054 4f2acc GetLastError 50051->50054 50051->50065 50055 4f2a5d 50052->50055 50056 4f2a96 50052->50056 50054->50065 50057 4f2a82 50055->50057 50058 4f2a62 50055->50058 50077 4f24ff WriteFile GetLastError 50056->50077 50076 4f26c3 WriteFile GetLastError 50057->50076 50062 4f2a6b 50058->50062 50058->50065 50061 4f2a3c 50061->50065 50075 4f25da WriteFile GetLastError 50062->50075 50065->50039 50078 4eb74c 50066->50078 50068 4eb886 50068->50043 50070 4f2494 50069->50070 50071 4f24f8 50070->50071 50072 4f24dc GetConsoleMode 50070->50072 50071->50047 50071->50048 50072->50071 50073->50065 50074->50061 50075->50065 50076->50061 50077->50061 50079 4eb75e 50078->50079 50080 4eb77a SetFilePointerEx 50079->50080 50081 4eb766 50079->50081 50080->50081 50082 4eb792 GetLastError 50080->50082 50081->50068 50082->50081 50084 4f1e5b 50083->50084 50086 4f1e9a 50084->50086 50087 4f1fb3 50084->50087 50086->50034 50088 4f1fc3 50087->50088 50089 4f2007 FindCloseChangeNotification 50088->50089 50090 4f1fc9 50088->50090 50089->50090 50091 4f2013 GetLastError 50089->50091 50090->50086 50091->50090 50093 4e6839 50092->50093 50108 4e657d 50093->50108 50095 4e684e 50095->49927 50097 4e25ee 50096->50097 50125 4e1ef1 50097->50125 50099 4e25fa 50099->49930 50102 4680c2 50100->50102 50103 4680f1 50100->50103 50101 468146 CatchIt 50101->49934 50102->49934 50103->50101 50157 402f50 50103->50157 50169 4eb2ec 50105->50169 50107 40ac41 50107->49937 50110 4e6589 50108->50110 50109 4e658f 50109->50095 50110->50109 50116 4ea480 EnterCriticalSection 50110->50116 50112 4e65de 50117 4e6700 50112->50117 50114 4e65f4 50124 4e661d LeaveCriticalSection 50114->50124 50116->50112 50118 4e6713 50117->50118 50119 4e6726 50117->50119 50118->50114 50120 4e67d7 50119->50120 50121 4e2cc1 16 API calls 50119->50121 50120->50114 50123 4e6777 50121->50123 50122 4eb86d 2 API calls 50122->50120 50123->50122 50124->50109 50126 4e1efd 50125->50126 50130 4e1f04 50126->50130 50131 4ea480 EnterCriticalSection 50126->50131 50128 4e1f30 50132 4e2000 50128->50132 50130->50099 50131->50128 50135 4e2032 50132->50135 50134 4e2012 50134->50130 50136 4e2069 50135->50136 50140 4e2041 50135->50140 50148 4eb80f 50136->50148 50138 4e2133 50138->50140 50143 4e21ae 50138->50143 50144 4e2198 50138->50144 50140->50134 50141 4e211c 50151 4e239e __ehfuncinfo$??2@YAPAXIABUnothrow_t@std@@ ReadFile SetFilePointerEx GetLastError 50141->50151 50143->50140 50147 4e21b4 __ehfuncinfo$??2@YAPAXIABUnothrow_t@std@@ 50143->50147 50152 4e21d3 __ehfuncinfo$??2@YAPAXIABUnothrow_t@std@@ __ehfuncinfo$??2@YAPAXIABUnothrow_t@std@@ __ehfuncinfo$??2@YAPAXIABUnothrow_t@std@@ SetFilePointerEx GetLastError 50144->50152 50145 4e212b 50145->50140 50147->50140 50153 4eb627 50148->50153 50150 4e2090 50150->50138 50150->50140 50150->50141 50151->50145 50152->50140 50154 4eb633 50153->50154 50155 4eb74c 2 API calls 50154->50155 50156 4eb63b 50154->50156 50155->50156 50156->50150 50158 402f62 50157->50158 50162 402f86 50157->50162 50159 402f69 50158->50159 50160 402f9f 50158->50160 50163 4dc8a2 2 API calls 50159->50163 50168 4022f0 ___std_exception_copy RaiseException Concurrency::cancel_current_task 50160->50168 50161 402f98 50161->50101 50162->50161 50164 4dc8a2 2 API calls 50162->50164 50167 402f6f 50163->50167 50166 402f90 50164->50166 50166->50101 50167->50101 50168->50167 50170 4eb2f8 50169->50170 50174 4eb30b __dosmaperr 50170->50174 50175 4ea480 EnterCriticalSection 50170->50175 50172 4eb34c 50176 4eb0f6 50172->50176 50174->50107 50175->50172 50177 4eb108 __fread_nolock 50176->50177 50178 4eb115 __dosmaperr 50176->50178 50177->50178 50179 4f1ac4 __fread_nolock 8 API calls 50177->50179 50178->50174 50179->50177 50181 46cf73 50180->50181 50188 46ca55 50180->50188 50196 474ac0 50181->50196 50183 46cfb5 50193 46ccf1 50183->50193 50257 408130 ___std_exception_copy ___std_exception_destroy ___std_exception_destroy ___std_exception_copy RaiseException 50183->50257 50185 46d041 50258 46e550 ___std_exception_copy ___std_exception_copy RaiseException CatchIt 50185->50258 50187 46d059 50189 46d078 ___std_exception_destroy ___std_exception_destroy 50187->50189 50188->50193 50255 408130 ___std_exception_copy ___std_exception_destroy ___std_exception_destroy ___std_exception_copy RaiseException 50188->50255 50189->50193 50191 46cc6a 50256 46e550 ___std_exception_copy ___std_exception_copy RaiseException CatchIt 50191->50256 50193->49941 50194 46cc7f 50195 46cc9e ___std_exception_destroy ___std_exception_destroy 50194->50195 50195->50193 50214 474b27 50196->50214 50197 475752 50273 408130 ___std_exception_copy ___std_exception_destroy ___std_exception_destroy ___std_exception_copy RaiseException 50197->50273 50199 475137 50263 46e550 ___std_exception_copy ___std_exception_copy RaiseException CatchIt 50199->50263 50200 4757bf 50274 46e550 ___std_exception_copy ___std_exception_copy RaiseException CatchIt 50200->50274 50203 4757d7 50205 4757f8 ___std_exception_destroy ___std_exception_destroy 50203->50205 50204 475049 50261 408130 ___std_exception_copy ___std_exception_destroy ___std_exception_destroy ___std_exception_copy RaiseException 50204->50261 50234 475044 50205->50234 50206 475146 50264 46e550 ___std_exception_copy ___std_exception_copy RaiseException CatchIt 50206->50264 50208 4750bd 50262 46e550 ___std_exception_copy ___std_exception_copy RaiseException CatchIt 50208->50262 50210 474f14 50216 402f50 3 API calls 50210->50216 50211 475199 50221 4751be ___std_exception_destroy ___std_exception_destroy 50211->50221 50251 475009 50211->50251 50212 4752aa 50265 408130 ___std_exception_copy ___std_exception_destroy ___std_exception_destroy ___std_exception_copy RaiseException 50212->50265 50213 475391 50267 408130 ___std_exception_copy ___std_exception_destroy ___std_exception_destroy ___std_exception_copy RaiseException 50213->50267 50214->50197 50214->50199 50214->50204 50214->50210 50214->50212 50214->50213 50217 475574 50214->50217 50219 4673c0 ___std_exception_copy RaiseException 50214->50219 50214->50234 50238 47547a 50214->50238 50218 474f3d 50216->50218 50271 408130 ___std_exception_copy ___std_exception_destroy ___std_exception_destroy ___std_exception_copy RaiseException 50217->50271 50259 408130 ___std_exception_copy ___std_exception_destroy ___std_exception_destroy ___std_exception_copy RaiseException 50218->50259 50219->50214 50221->50251 50223 4de42b Concurrency::cancel_current_task RaiseException 50228 47589a 50223->50228 50224 475400 50268 46e550 ___std_exception_copy ___std_exception_copy RaiseException CatchIt 50224->50268 50225 4750d5 50230 4750f6 ___std_exception_destroy ___std_exception_destroy 50225->50230 50226 475317 50266 46e550 ___std_exception_copy ___std_exception_copy RaiseException CatchIt 50226->50266 50230->50199 50233 474f97 50260 46e550 ___std_exception_copy ___std_exception_copy RaiseException CatchIt 50233->50260 50234->50183 50235 4755e8 50272 46e550 ___std_exception_copy ___std_exception_copy RaiseException CatchIt 50235->50272 50239 402f50 3 API calls 50238->50239 50241 4754a3 50239->50241 50240 475418 50244 475439 ___std_exception_destroy ___std_exception_destroy 50240->50244 50269 408130 ___std_exception_copy ___std_exception_destroy ___std_exception_destroy ___std_exception_copy RaiseException 50241->50269 50242 47532f 50243 475350 ___std_exception_destroy ___std_exception_destroy 50242->50243 50243->50213 50244->50251 50245 475600 50247 475621 ___std_exception_destroy ___std_exception_destroy 50245->50247 50246 474fac 50248 474fca ___std_exception_destroy ___std_exception_destroy 50246->50248 50247->50234 50248->50251 50250 4754fa 50270 46e550 ___std_exception_copy ___std_exception_copy RaiseException CatchIt 50250->50270 50251->50223 50251->50234 50253 475512 50254 475533 ___std_exception_destroy ___std_exception_destroy 50253->50254 50254->50217 50255->50191 50256->50194 50257->50185 50258->50187 50259->50233 50260->50246 50261->50208 50262->50225 50263->50206 50264->50211 50265->50226 50266->50242 50267->50224 50268->50240 50269->50250 50270->50253 50271->50235 50272->50245 50273->50200 50274->50203 50277 4c2bbd 50275->50277 50276 48db50 2 API calls 50282 4c30f7 50276->50282 50283 4c2bc2 50277->50283 50296 4ce620 50277->50296 50280 4c2dad 50300 4d8fc0 50280->50300 50282->49948 50283->50276 50283->50282 50284 4c2c73 CatchIt 50284->50283 50285 4d8fc0 2 API calls 50284->50285 50288 4c2cb5 50284->50288 50287 4c2d3b 50285->50287 50287->50288 50291 48db50 2 API calls 50287->50291 50290 4c2ed1 CatchIt 50288->50290 50315 498900 50288->50315 50319 498a50 RtlFreeHeap GetLastError 50288->50319 50292 48db50 2 API calls 50290->50292 50295 4c3050 50290->50295 50291->50288 50292->50295 50294 48db50 2 API calls 50294->50295 50295->50283 50295->50294 50320 49e5e0 RtlFreeHeap GetLastError 50295->50320 50297 4c2c52 50296->50297 50298 4ce635 50296->50298 50297->50280 50297->50284 50298->50297 50299 48db50 2 API calls 50298->50299 50299->50298 50304 4d8ff6 50300->50304 50301 4d93e2 50301->50288 50302 48db50 2 API calls 50306 4d9204 50302->50306 50303 4d90ae 50303->50302 50304->50301 50304->50303 50305 48db50 2 API calls 50304->50305 50305->50303 50307 48db50 2 API calls 50306->50307 50309 4d92ac 50306->50309 50307->50309 50308 48db50 2 API calls 50310 4d92f9 50308->50310 50309->50308 50309->50310 50311 48db50 2 API calls 50310->50311 50312 4d9332 50310->50312 50311->50312 50313 48db50 2 API calls 50312->50313 50314 4d93a1 50312->50314 50313->50312 50314->50288 50317 498921 50315->50317 50318 498937 50315->50318 50317->50318 50321 498660 50317->50321 50318->50288 50319->50288 50320->50295 50329 496450 50321->50329 50324 496a70 6 API calls 50327 49868f 50324->50327 50325 4987c7 50325->50317 50327->50325 50345 492c30 50327->50345 50328 4987a9 50328->50317 50330 49646a 50329->50330 50332 4964ab 50329->50332 50359 492990 50330->50359 50341 4964e7 50332->50341 50342 496529 50332->50342 50349 491fc0 50332->50349 50334 4968c7 __ehfuncinfo$??2@YAPAXIABUnothrow_t@std@@ 50338 49685d 50334->50338 50335 49691f 50337 492990 2 API calls 50335->50337 50339 4966b5 50335->50339 50336 496584 50336->50334 50336->50338 50336->50339 50337->50339 50338->50335 50338->50339 50344 491300 4 API calls 50338->50344 50340 492990 2 API calls 50339->50340 50339->50341 50340->50341 50341->50324 50341->50325 50342->50336 50342->50339 50363 494960 RtlFreeHeap GetLastError 50342->50363 50344->50335 50346 492c3c 50345->50346 50347 48db50 2 API calls 50346->50347 50348 492c5f 50346->50348 50347->50348 50348->50328 50350 491fd5 50349->50350 50351 491fdb 50350->50351 50352 491fed GetVersionExA 50350->50352 50353 492016 50350->50353 50351->50342 50352->50353 50354 49201d GetFileAttributesW 50353->50354 50355 492025 GetFileAttributesA 50353->50355 50356 49202b 50354->50356 50355->50356 50357 4eaec6 __freea 2 API calls 50356->50357 50358 492033 50357->50358 50358->50342 50360 492a2a 50359->50360 50361 4929a0 50359->50361 50360->50332 50364 493810 50361->50364 50363->50336 50366 49381c 50364->50366 50365 493841 50365->50360 50366->50365 50368 492fe0 50366->50368 50369 4930e5 50368->50369 50370 492ffa 50368->50370 50369->50365 50370->50369 50371 48db50 2 API calls 50370->50371 50371->50370 50374 4d9e13 50372->50374 50386 4da18d 50372->50386 50373 4d9e2b 50373->49959 50374->50373 50376 4d9f15 50374->50376 50402 498570 RtlFreeHeap GetLastError 50374->50402 50377 48db50 2 API calls 50376->50377 50379 4d9f95 50376->50379 50377->50376 50378 48db50 2 API calls 50378->50379 50379->50378 50380 4da008 50379->50380 50381 48db50 2 API calls 50380->50381 50385 4da067 50380->50385 50381->50380 50382 4da0a7 50383 48db50 2 API calls 50382->50383 50387 4da0e7 50382->50387 50383->50387 50384 48db50 2 API calls 50384->50382 50385->50382 50385->50384 50386->49959 50387->50386 50388 4eaec6 2 API calls 50387->50388 50388->50386 50390 4e649c 50389->50390 50391 4e64a6 50389->50391 50392 4f4c09 2 API calls 50390->50392 50403 4e63d7 50391->50403 50395 4e64a3 50392->50395 50395->49961 50398 4e64d4 50400 4e64f2 50398->50400 50401 4f4253 __freea 2 API calls 50398->50401 50400->49961 50401->50400 50402->50374 50404 4e63e9 __wsopen_s 50403->50404 50406 4e63fb 50404->50406 50414 4f4747 5 API calls __wsopen_s 50404->50414 50407 4e63ba 50406->50407 50415 4e6308 50407->50415 50409 4e63d2 50409->50398 50410 4f4c09 DeleteFileW 50409->50410 50411 4f4c2d 50410->50411 50412 4f4c1b GetLastError 50410->50412 50411->50398 50413 4f4c27 __dosmaperr 50412->50413 50413->50398 50414->50406 50416 4e6316 50415->50416 50417 4e6330 50415->50417 50430 4e6416 RtlFreeHeap GetLastError __freea 50416->50430 50418 4e6356 50417->50418 50419 4e6337 50417->50419 50432 4f43b3 MultiByteToWideChar __wsopen_s 50418->50432 50425 4e6320 __dosmaperr 50419->50425 50431 4e6430 RtlFreeHeap GetLastError RtlAllocateHeap __wsopen_s 50419->50431 50423 4e6365 50424 4e636c GetLastError 50423->50424 50426 4e6392 50423->50426 50433 4e6430 RtlFreeHeap GetLastError RtlAllocateHeap __wsopen_s 50423->50433 50424->50425 50425->50409 50426->50425 50434 4f43b3 MultiByteToWideChar __wsopen_s 50426->50434 50429 4e63a9 50429->50424 50429->50425 50430->50425 50431->50425 50432->50423 50433->50426 50434->50429 50435->49971 50437 462d5f 50436->50437 50458 462dc7 CatchIt 50436->50458 50438 462d66 50437->50438 50439 462eee 50437->50439 50440 462f6e 50437->50440 50441 462e39 50437->50441 50437->50458 50444 4dc8a2 2 API calls 50438->50444 50442 4dc8a2 2 API calls 50439->50442 50445 4dc8a2 2 API calls 50440->50445 50443 4dc8a2 2 API calls 50441->50443 50442->50458 50460 462e43 50443->50460 50446 462d70 50444->50446 50447 462f7b 50445->50447 50448 4dc8a2 2 API calls 50446->50448 50449 46307f 50447->50449 50451 462ff5 50447->50451 50452 462fcc 50447->50452 50447->50458 50450 462da2 50448->50450 50471 4022f0 ___std_exception_copy RaiseException Concurrency::cancel_current_task 50449->50471 50461 47f240 50450->50461 50455 4dc8a2 2 API calls 50451->50455 50452->50449 50454 462fd7 50452->50454 50457 4dc8a2 2 API calls 50454->50457 50455->50458 50457->50458 50458->49994 50459 462d20 3 API calls 50459->50460 50460->50458 50460->50459 50462 47f278 50461->50462 50470 47f31f 50461->50470 50463 4dc8a2 2 API calls 50462->50463 50464 47f29a 50463->50464 50465 462d20 3 API calls 50464->50465 50466 47f2c0 50465->50466 50467 47f240 3 API calls 50466->50467 50468 47f311 50467->50468 50469 47f240 3 API calls 50468->50469 50469->50470 50470->50458 50471->50458 53382 4d9b30 53383 4d9b4d 53382->53383 53384 4d9b43 53382->53384 53385 48db50 2 API calls 53383->53385 53386 4d9b63 53383->53386 53385->53386 49804 4f5bcc 49805 4f5bd9 __dosmaperr 49804->49805 49806 4f5bf1 49804->49806 49806->49805 49808 4f5c50 49806->49808 49814 4f68c4 RtlFreeHeap GetLastError __freea 49806->49814 49810 4f19ab 49808->49810 49811 4f19b7 49810->49811 49812 4f19bf __dosmaperr 49811->49812 49815 4f1ac4 49811->49815 49812->49805 49814->49808 49816 4f1ad6 __dosmaperr 49815->49816 49819 4f1aee 49815->49819 49816->49812 49817 4f1b85 49818 4f1b92 __dosmaperr 49817->49818 49824 4f1d80 49817->49824 49827 4f1d25 GetConsoleMode 49817->49827 49833 4f4253 __freea 2 API calls 49818->49833 49819->49816 49819->49817 49819->49818 49834 4f42cd 49819->49834 49821 4f1bd1 49822 4f4253 __freea 2 API calls 49821->49822 49823 4f1bda 49822->49823 49825 4f4253 __freea 2 API calls 49823->49825 49826 4f1d84 ReadFile 49824->49826 49825->49817 49828 4f1d9c 49826->49828 49829 4f1df8 GetLastError 49826->49829 49827->49824 49830 4f1d36 49827->49830 49828->49818 49828->49829 49829->49818 49830->49826 49831 4f1d3c ReadConsoleW 49830->49831 49831->49818 49832 4f1d56 GetLastError 49831->49832 49832->49818 49833->49816 49836 4f4309 __dosmaperr 49834->49836 49837 4f42db 49834->49837 49835 4f42f6 RtlAllocateHeap 49835->49836 49835->49837 49836->49821 49837->49835 49837->49836 50473 45e5d4 50476 45e5ee 50473->50476 50474 45e675 CreateThread FindCloseChangeNotification 50477 45e747 50474->50477 50479 45e69e 50474->50479 50637 41e220 50474->50637 50475 45e6a0 GetPEB 50475->50479 50476->50474 50478 45e782 GetTempPathA 50477->50478 50481 45e7a4 50478->50481 50479->50475 50479->50479 50480 45e71d Sleep 50479->50480 50480->50475 50480->50477 50528 40b1a0 50481->50528 50483 45e8d7 50484 45e8e9 50483->50484 50547 40b300 50483->50547 50486 40b1a0 4 API calls 50484->50486 50487 45e8fe 50486->50487 50488 45e911 50487->50488 50489 40b300 14 API calls 50487->50489 50490 45e920 CreateDirectoryA 50488->50490 50489->50488 50491 45e93d 50490->50491 50492 45e933 50490->50492 50494 45e952 CreateDirectoryA 50491->50494 50495 460fa5 OutputDebugStringA 50491->50495 50567 415e30 50492->50567 50496 45e9d3 50494->50496 50497 45e959 __ehfuncinfo$??2@YAPAXIABUnothrow_t@std@@ 50494->50497 50498 460fbc 50495->50498 50499 45e9de GetPEB 50496->50499 50501 45e995 50497->50501 50500 462d20 3 API calls 50498->50500 50506 45e9f0 50499->50506 50502 460fd6 50500->50502 50503 415e30 2 API calls 50501->50503 50504 462d20 3 API calls 50502->50504 50503->50496 50505 460fec 50504->50505 50507 462d20 3 API calls 50505->50507 50506->50495 50508 461002 50507->50508 50509 462d20 3 API calls 50508->50509 50510 461018 50509->50510 50511 462d20 3 API calls 50510->50511 50512 46102e 50511->50512 50513 462d20 3 API calls 50512->50513 50514 461047 50513->50514 50515 4610d3 CreateMutexA 50514->50515 50516 402990 50515->50516 50517 4610ed GetLastError 50516->50517 50518 4610fe Sleep 50517->50518 50526 4611db 50517->50526 50519 46113b 50518->50519 50537 41e5f0 50519->50537 50521 461150 50522 461195 Sleep shutdown closesocket 50521->50522 50523 461172 Sleep 50521->50523 50525 4611ce 50522->50525 50522->50526 50523->50522 50523->50523 50525->50526 50527 4611d2 Sleep 50525->50527 50527->50527 50529 40b1d0 50528->50529 50530 40b1d7 50529->50530 50531 40b24d std::_Throw_Cpp_error 50529->50531 50532 40b254 std::_Throw_Cpp_error 50530->50532 50533 40b1e3 50530->50533 50531->50532 50534 40b1fb GetFileAttributesA 50533->50534 50535 40b212 50533->50535 50534->50535 50536 40b207 GetLastError 50534->50536 50535->50483 50536->50535 50538 41e61d 50537->50538 50539 41e737 std::_Throw_Cpp_error 50538->50539 50540 41e628 50538->50540 50541 41e73e std::_Throw_Cpp_error 50539->50541 50540->50541 50542 41e638 50540->50542 50543 473140 3 API calls 50542->50543 50544 41e685 50542->50544 50543->50544 50573 41d840 50544->50573 50546 41e710 50546->50521 50548 40b33a 50547->50548 50549 40b712 std::_Throw_Cpp_error 50548->50549 50550 40b345 50548->50550 50551 40b719 std::_Throw_Cpp_error 50549->50551 50550->50551 50552 40b355 50550->50552 50555 40b627 50551->50555 50553 40b410 FindFirstFileA 50552->50553 50552->50555 50554 40b435 50553->50554 50553->50555 50554->50555 50557 40b5a9 SetFileAttributesA 50554->50557 50558 40b300 3 API calls 50554->50558 50632 468210 50554->50632 50555->50484 50559 40b650 GetLastError 50557->50559 50560 40b5c8 DeleteFileA 50557->50560 50558->50557 50559->50555 50560->50559 50561 40b5de FindNextFileA 50560->50561 50561->50554 50562 40b5f7 FindClose GetLastError 50561->50562 50562->50555 50563 40b60d SetFileAttributesA 50562->50563 50563->50555 50565 40b632 RemoveDirectoryA 50563->50565 50565->50555 50568 415e66 50567->50568 50569 415edb GetFileAttributesA 50568->50569 50570 415fe1 50569->50570 50572 415eeb 50569->50572 50570->50491 50571 415fc4 CreateDirectoryA 50571->50491 50572->50571 50572->50572 50574 41d87d 50573->50574 50575 4680a0 3 API calls 50574->50575 50576 41daa1 CatchIt 50574->50576 50575->50576 50577 41dbad GetModuleHandleA GetProcAddress WSASend 50576->50577 50579 41dbe7 50576->50579 50577->50576 50577->50579 50578 41dc17 50578->50546 50579->50578 50580 41dca9 50579->50580 50581 41dcf9 50579->50581 50582 41d840 47 API calls 50580->50582 50583 41e000 50581->50583 50597 41dd9e 50581->50597 50602 41dccf 50581->50602 50582->50602 50584 41e008 50583->50584 50585 41e05b 50583->50585 50586 46a630 25 API calls 50584->50586 50587 41e063 50585->50587 50588 41e0b6 50585->50588 50586->50602 50589 46a630 25 API calls 50587->50589 50590 41e111 50588->50590 50591 41e0be 50588->50591 50589->50602 50593 41e119 50590->50593 50594 41e16c 50590->50594 50592 46a630 25 API calls 50591->50592 50592->50602 50595 46a630 25 API calls 50593->50595 50596 46a630 25 API calls 50594->50596 50594->50602 50595->50602 50596->50602 50598 41dedc GetCurrentProcess 50597->50598 50599 41df09 50597->50599 50597->50602 50598->50602 50599->50602 50604 4ea858 50599->50604 50601 41df56 50603 4e62d8 22 API calls 50601->50603 50602->50546 50603->50602 50605 4ea86b 50604->50605 50608 4ea63a 50605->50608 50607 4ea880 50607->50601 50609 4ea648 50608->50609 50610 4ea655 50608->50610 50609->50610 50613 4ea593 50609->50613 50610->50607 50614 4ea59f 50613->50614 50621 4ea480 EnterCriticalSection 50614->50621 50616 4ea5ad 50622 4ea5ee 50616->50622 50618 4ea5ba 50626 4ea5e2 LeaveCriticalSection 50618->50626 50620 4ea5cb 50620->50607 50621->50616 50623 4ea606 50622->50623 50627 4ea6b1 50623->50627 50625 4ea624 50625->50618 50626->50620 50628 4ea6d1 50627->50628 50630 4ea6c3 CatchIt 50627->50630 50628->50625 50629 4e2cc1 16 API calls 50629->50630 50630->50628 50630->50629 50631 4f282c 16 API calls 50630->50631 50631->50630 50633 46825f 50632->50633 50634 468232 CatchIt 50632->50634 50635 402f50 3 API calls 50633->50635 50636 4682b4 CatchIt 50633->50636 50634->50554 50635->50636 50636->50554 50638 41e5d8 50637->50638 50641 41e24a 50637->50641 50639 41e293 setsockopt recv WSAGetLastError 50639->50638 50639->50641 50641->50639 50643 41e521 recv 50641->50643 50644 41e5c3 Sleep 50641->50644 50647 4680a0 3 API calls 50641->50647 50655 41d430 WSAStartup 50641->50655 50668 4dc299 50641->50668 50645 41e5bb Sleep 50643->50645 50644->50638 50644->50641 50645->50644 50648 41e339 recv 50647->50648 50649 41e35a recv 50648->50649 50651 41e37b 50648->50651 50649->50651 50650 41d840 51 API calls 50650->50651 50651->50645 50651->50650 50652 41e5ea 50651->50652 50653 41e3e2 setsockopt recv 50651->50653 50654 4680a0 3 API calls 50651->50654 50653->50651 50654->50653 50656 41d536 50655->50656 50657 41d468 50655->50657 50656->50641 50657->50656 50658 41d49e getaddrinfo 50657->50658 50659 41d530 WSACleanup 50658->50659 50660 41d4e6 50658->50660 50659->50656 50661 41d544 freeaddrinfo 50660->50661 50663 41d4f4 socket 50660->50663 50661->50659 50662 41d550 50661->50662 50662->50641 50663->50659 50664 41d50a connect 50663->50664 50665 41d540 50664->50665 50666 41d51c closesocket 50664->50666 50665->50661 50666->50663 50667 41d526 freeaddrinfo 50666->50667 50667->50659 50671 4dc84d 50668->50671 50672 4dc87d GetSystemTimePreciseAsFileTime 50671->50672 50673 4dc889 GetSystemTimeAsFileTime 50671->50673 50674 41e53b __ehfuncinfo$??2@YAPAXIABUnothrow_t@std@@ 50672->50674 50673->50674 50674->50645 50674->50651 52892 45dde5 52893 45ddec 52892->52893 52894 45de2b LoadLibraryA 52893->52894 52895 45de7e 52894->52895 52896 45de38 52894->52896 52933 416000 52895->52933 52898 45de72 GetProcAddress 52896->52898 52898->52895 52899 45deb2 52937 40ad80 52899->52937 52901 45df6e 52902 45e082 __ehfuncinfo$??2@YAPAXIABUnothrow_t@std@@ 52901->52902 52904 45e0ad GetProcessId 52902->52904 52905 45e109 52904->52905 52916 45e140 52905->52916 53011 414870 GetPEB IsDebuggerPresent 52905->53011 52907 45dee5 52907->52901 52912 45dfe6 MessageBoxA 52907->52912 52908 45e129 52909 45e1b1 52908->52909 52910 45e131 GetPEB 52908->52910 53012 4149b0 GetTickCount64 Sleep GetTickCount64 52909->53012 52910->52916 52912->52901 52917 45dff7 52912->52917 52913 45e1b6 52914 45e1be GetPEB 52913->52914 52913->52916 52918 45e1d0 52914->52918 52916->52918 52921 45e35a 52916->52921 52918->52916 53013 4149f0 GetModuleHandleA 52918->53013 52919 45e2bf GetPEB 52925 45e2d0 52919->52925 52920 45e298 52920->52919 53014 4148b0 GetUserNameA GetComputerNameA GetCurrentProcess TerminateProcess 52920->53014 52926 45e3ce 52921->52926 52952 4176b0 52921->52952 52923 45e2b7 52923->52919 52923->52921 52925->52921 52927 45e3ff __ehfuncinfo$??2@YAPAXIABUnothrow_t@std@@ 52926->52927 52929 45e43f SetThreadExecutionState 52927->52929 52930 45e483 SetThreadExecutionState 52929->52930 52931 45e48a 52929->52931 52930->52931 52932 45e4ba GetPEB 52931->52932 52932->52917 52934 4debe0 52933->52934 52935 41603e GetModuleFileNameA 52934->52935 52936 416072 52935->52936 52936->52899 52938 46a0a0 2 API calls 52937->52938 52939 40adbf 52938->52939 52940 4e6826 18 API calls 52939->52940 52942 40ae66 52939->52942 52941 40ae0a 52940->52941 52943 4e25db 9 API calls 52941->52943 52942->52907 52944 40ae10 52943->52944 52945 4e6826 18 API calls 52944->52945 52946 40ae1c 52945->52946 52947 4680a0 3 API calls 52946->52947 52948 40ae2f 52946->52948 52947->52948 52949 4eb2cf __fread_nolock 9 API calls 52948->52949 52950 40ae60 52949->52950 52951 4e62d8 22 API calls 52950->52951 52951->52942 52953 4176e5 52952->52953 52954 416000 GetModuleFileNameA 52953->52954 52955 41779a 52954->52955 52956 4177bb GetUserNameA 52955->52956 52957 4177f0 52956->52957 52957->52957 52958 468210 3 API calls 52957->52958 52965 417b68 52957->52965 52959 41787e 52958->52959 52960 468210 3 API calls 52959->52960 52961 4178a1 52960->52961 52962 40b1a0 4 API calls 52961->52962 52963 4178b1 52962->52963 52964 415e30 2 API calls 52963->52964 52969 4178bd 52963->52969 52964->52969 52966 468210 3 API calls 52965->52966 52987 418a48 52965->52987 53010 41867e 52965->53010 52967 417c86 52966->52967 52968 468210 3 API calls 52967->52968 52970 417ca9 52968->52970 52969->52965 52972 468210 3 API calls 52969->52972 52969->52987 52971 40b1a0 4 API calls 52970->52971 52973 417cb9 52971->52973 52976 41796a 52972->52976 52975 415e30 2 API calls 52973->52975 52977 417d0b 52973->52977 52974 468210 3 API calls 52983 4187ce 52974->52983 52975->52977 52978 40b110 22 API calls 52976->52978 52976->52987 52981 468210 3 API calls 52977->52981 52977->52987 52977->53010 52979 417a6d 52978->52979 52979->52965 52980 417a78 CopyFileA 52979->52980 52980->52965 52982 417aa9 RegOpenKeyExA 52980->52982 52989 417e20 52981->52989 52982->52965 52988 417b2e RegSetValueExA RegCloseKey 52982->52988 52984 4dc299 __Xtime_get_ticks 2 API calls 52983->52984 52997 418900 52983->52997 52986 418837 __ehfuncinfo$??2@YAPAXIABUnothrow_t@std@@ 52984->52986 52990 41884d 52986->52990 52987->52926 52988->52965 52989->52987 52991 40b110 22 API calls 52989->52991 52992 4ea858 18 API calls 52990->52992 52993 417f06 52991->52993 52994 4188fa 52992->52994 52995 417f11 CopyFileA 52993->52995 52993->53010 52996 4e62d8 22 API calls 52994->52996 52998 417f4b 52995->52998 52995->53010 52996->52997 52997->52926 52999 468210 3 API calls 52998->52999 53000 4180cb 52999->53000 53001 468210 3 API calls 53000->53001 53002 41815b 53001->53002 53015 4160b0 53002->53015 53004 41829f 53005 468210 3 API calls 53004->53005 53006 418432 53005->53006 53007 468210 3 API calls 53006->53007 53008 4184ad 53007->53008 53009 4160b0 4 API calls 53008->53009 53009->53010 53010->52974 53010->52997 53011->52908 53012->52913 53013->52920 53014->52923 53016 4160e8 53015->53016 53016->53016 53017 41617d GetModuleHandleA GetProcAddress 53016->53017 53018 4161aa 53017->53018 53019 4161b7 CreateProcessA 53018->53019 53020 4161eb 53019->53020 53021 416210 53019->53021 53022 4161f7 GetPEB 53020->53022 53021->53004 53022->53021 53030 46f7e0 53035 4701c0 53030->53035 53032 46f83f 53033 46f7f3 53033->53032 53040 4786f0 53033->53040 53036 4701eb 53035->53036 53037 47020e 53036->53037 53038 4786f0 3 API calls 53036->53038 53037->53033 53039 47022b 53038->53039 53039->53033 53041 478732 53040->53041 53048 47875f CatchIt 53040->53048 53042 47874c 53041->53042 53043 47879a 53041->53043 53044 4dc8a2 2 API calls 53042->53044 53042->53048 53046 4dc8a2 2 API calls 53043->53046 53043->53048 53044->53048 53046->53048 53047 478883 53048->53032 53048->53047 53049 4022f0 ___std_exception_copy RaiseException Concurrency::cancel_current_task 53048->53049 53049->53047 53162 41f3eb 53163 41f3d0 CryptUnprotectData 53162->53163 53165 41f3f6 53162->53165 53163->53162 53163->53165 53164 41f41a 53165->53164 53166 41f411 LocalFree 53165->53166 53166->53164 53223 45d9f0 GetCursorPos 53224 45da10 GetCursorPos 53223->53224 53225 45daef GetPEB 53224->53225 53227 45da25 53224->53227 53225->53227 53226 45da33 GetPEB 53226->53227 53227->53225 53227->53226 53228 45db68 Sleep 53227->53228 53229 45daa8 Sleep GetCursorPos 53227->53229 53230 45db94 53227->53230 53228->53224 53229->53225 53229->53227 53167 4a5bba 53168 4a5be0 53167->53168 53170 4a15c6 53167->53170 53169 499230 6 API calls 53168->53169 53168->53170 53169->53170 53295 4b3fb0 53296 4b3fd2 53295->53296 53300 4b400f CatchIt 53295->53300 53309 4a80c0 53296->53309 53299 4b4008 53299->53300 53306 4b4053 53299->53306 53321 4aa840 RtlFreeHeap GetLastError 53299->53321 53305 4b4198 53300->53305 53322 4aa840 RtlFreeHeap GetLastError 53300->53322 53302 4b417d 53304 48db50 2 API calls 53302->53304 53302->53305 53303 4b4038 53303->53306 53308 48db50 2 API calls 53303->53308 53304->53305 53306->53300 53307 48db50 2 API calls 53306->53307 53307->53300 53308->53306 53310 4a80ce 53309->53310 53311 4a80d6 53309->53311 53310->53299 53312 4a80c0 12 API calls 53311->53312 53320 4a8125 53311->53320 53313 4a80fc 53312->53313 53314 4a80c0 12 API calls 53313->53314 53313->53320 53315 4a810a 53314->53315 53316 4a811c 53315->53316 53319 4a8136 53315->53319 53315->53320 53323 4a8180 53316->53323 53318 4a80c0 12 API calls 53318->53319 53319->53318 53319->53320 53320->53299 53321->53303 53322->53302 53324 4a82ad 53323->53324 53326 4a8197 53323->53326 53324->53320 53325 4a80c0 12 API calls 53325->53326 53326->53324 53326->53325 53327 4a8180 12 API calls 53326->53327 53329 4ca380 53326->53329 53327->53326 53332 4ca685 53329->53332 53334 4ca3a6 53329->53334 53330 4a8180 12 API calls 53330->53334 53332->53326 53333 4ca791 53333->53332 53335 4a8180 12 API calls 53333->53335 53334->53330 53334->53332 53334->53333 53338 4ca56f CatchIt 53334->53338 53340 4c2b00 53334->53340 53336 4ca7c1 53335->53336 53336->53326 53337 4aa840 RtlFreeHeap GetLastError 53337->53338 53338->53332 53338->53337 53339 48db50 RtlFreeHeap GetLastError 53338->53339 53339->53338 53341 4c2b30 53340->53341 53343 4c2b6b 53341->53343 53344 4c2740 53341->53344 53343->53334 53355 4c24b0 53344->53355 53346 4c27e7 53346->53341 53347 4c27a6 53347->53346 53348 498900 10 API calls 53347->53348 53349 4c27fd 53347->53349 53348->53349 53349->53346 53354 4c2958 53349->53354 53363 4bf050 53349->53363 53352 4c2a42 53353 48db50 2 API calls 53352->53353 53352->53354 53353->53354 53354->53346 53374 498a50 RtlFreeHeap GetLastError 53354->53374 53356 4c24d9 53355->53356 53357 4c2528 53355->53357 53356->53347 53358 4bf050 12 API calls 53357->53358 53361 4c2539 53357->53361 53362 4c25b0 53358->53362 53359 48db50 2 API calls 53360 4c268a 53359->53360 53360->53347 53361->53347 53362->53359 53362->53361 53369 4bf096 CatchIt 53363->53369 53364 4bf1dd 53365 4c3160 10 API calls 53364->53365 53367 4bf627 53364->53367 53371 48db50 2 API calls 53364->53371 53373 4c24b0 12 API calls 53364->53373 53375 4a0800 53364->53375 53365->53364 53366 4dc8a2 2 API calls 53366->53369 53368 48db50 2 API calls 53367->53368 53372 4bf6b2 CatchIt 53367->53372 53368->53372 53369->53364 53369->53366 53371->53364 53372->53352 53373->53364 53374->53346 53376 4a0c59 53375->53376 53378 4a0819 53375->53378 53376->53364 53377 4a0bba 53377->53364 53378->53377 53379 4a0b5c 53378->53379 53380 4c3160 10 API calls 53378->53380 53379->53377 53381 48db50 2 API calls 53379->53381 53380->53378 53381->53377

                                                                                                                                                                                            Executed Functions

                                                                                                                                                                                            Function 0045EA9C Relevance: 133.9, APIs: 39, Strings: 36, Instructions: 2609threadsleepsynchronizationCOMMON
                                                                                                                                                                                            Download Yara Rule
                                                                                                                                                                                            APIs
                                                                                                                                                                                            • CreateMutexA.KERNEL32(00000000,00000001,00000000), ref: 0045EB04
                                                                                                                                                                                            • GetLastError.KERNEL32 ref: 0045EB19
                                                                                                                                                                                            • Sleep.KERNEL32(00000529), ref: 0045EB3A
                                                                                                                                                                                            • Sleep.KERNEL32(0000002F), ref: 0045EBAA
                                                                                                                                                                                            • shutdown.WS2_32(00000002), ref: 0045EBDA
                                                                                                                                                                                            • closesocket.WS2_32 ref: 0045EBE6
                                                                                                                                                                                            • WSACleanup.WS2_32 ref: 0045EBEC
                                                                                                                                                                                            • __ehfuncinfo$??2@YAPAXIABUnothrow_t@std@@@Z.LIBCMT ref: 0045ECA1
                                                                                                                                                                                            • Sleep.KERNELBASE(00000065), ref: 0045EE48
                                                                                                                                                                                            • Sleep.KERNEL32(00000000,?,?), ref: 0045EEFF
                                                                                                                                                                                            • GetModuleHandleA.KERNEL32(ntdll.dll), ref: 0045F20A
                                                                                                                                                                                            • GetProcAddress.KERNEL32(00000000,00000000), ref: 0045F212
                                                                                                                                                                                            • GetCurrentProcess.KERNEL32(00000000), ref: 0045F220
                                                                                                                                                                                            • OutputDebugStringA.KERNELBASE(#@#^@#TGRERTERYERY,?,?,00000018,0000000A,Function_00002990,00000000,?,?,?,00000000,00000000,00000000,00000000,00000000,00000000), ref: 0045F234
                                                                                                                                                                                            • OutputDebugStringA.KERNELBASE(ewetwertyer eytdryrtdy,00000000,00000000), ref: 0045F2F5
                                                                                                                                                                                            • OutputDebugStringA.KERNEL32(td ydrthrhfty,00000000), ref: 0045F4D0
                                                                                                                                                                                            • OutputDebugStringA.KERNELBASE(45 hgfch rtdyt gfch,0051D9CA,?,?), ref: 0045FEA5
                                                                                                                                                                                            • CreateThread.KERNELBASE(00000000,00000000,00450430,00000000,00000000,00000000), ref: 0045FED0
                                                                                                                                                                                            • CreateThread.KERNELBASE(00000000,00000000,00455FC0,00000000,00000000,00000000), ref: 0045FEE6
                                                                                                                                                                                            • WaitForSingleObject.KERNEL32(00000000,00000000,00000000,00000000,?,?,?,?,?,0051DAE8,00000001,?,?), ref: 0046008D
                                                                                                                                                                                            • CreateThread.KERNELBASE(00000000,00000000,Function_000564A0,00000000,00000000,00000000), ref: 00460280
                                                                                                                                                                                            • CreateThread.KERNELBASE(00000000,00000000,Function_00058520,00000000,00000000,00000000), ref: 00460294
                                                                                                                                                                                            • CreateThread.KERNELBASE(00000000,00000000,Function_0005A490,00000000,00000000,00000000), ref: 004602AB
                                                                                                                                                                                            • CreateThread.KERNELBASE(00000000,00000000,Function_0005B4B0,00000000,00000000,00000000), ref: 004602C2
                                                                                                                                                                                            • CreateThread.KERNELBASE(00000000,00000000,Function_0005CAE0,00000000,00000000,00000000), ref: 004602D9
                                                                                                                                                                                            • CreateThread.KERNELBASE(00000000,00000000,Function_0005CC40,00000000,00000000,00000000), ref: 004602ED
                                                                                                                                                                                            • CreateThread.KERNELBASE(00000000,00000000,Function_0005D7B0,00000000,00000000,00000000), ref: 00460301
                                                                                                                                                                                            • WaitForSingleObject.KERNEL32(?,000493E0), ref: 004604BE
                                                                                                                                                                                            • WaitForSingleObject.KERNEL32(?,000493E0), ref: 0046056B
                                                                                                                                                                                            • OutputDebugStringA.KERNELBASE( drthdrthdrthdr hrtd hr,0051D9CA,?,?), ref: 00460FAA
                                                                                                                                                                                            • CloseHandle.KERNEL32(?), ref: 004607EF
                                                                                                                                                                                              • Part of subcall function 00462D20: Concurrency::cancel_current_task.LIBCPMT ref: 00463084
                                                                                                                                                                                            • CreateMutexA.KERNEL32(00000000,00000001,00000000), ref: 004610D8
                                                                                                                                                                                            • GetLastError.KERNEL32 ref: 004610ED
                                                                                                                                                                                            • Sleep.KERNEL32(00007530), ref: 00461109
                                                                                                                                                                                            • Sleep.KERNEL32(00000064), ref: 00461174
                                                                                                                                                                                            • Sleep.KERNELBASE(00000BB8,?,?), ref: 004611A9
                                                                                                                                                                                            • shutdown.WS2_32(00000002), ref: 004611B3
                                                                                                                                                                                            • closesocket.WS2_32 ref: 004611BF
                                                                                                                                                                                            • Sleep.KERNEL32(000003E8,?,?), ref: 004611D7
                                                                                                                                                                                            Strings
                                                                                                                                                                                            Memory Dump Source
                                                                                                                                                                                            • Source File: 00000000.00000002.2499170949.0000000000400000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                                                            Joe Sandbox IDA Plugin
                                                                                                                                                                                            • Snapshot File: hcaresult_0_2_400000_dendy.jbxd
                                                                                                                                                                                            Yara matches
                                                                                                                                                                                            Similarity
                                                                                                                                                                                            • API ID: Create$Thread$Sleep$DebugOutputString$ObjectSingleWait$ErrorHandleLastMutexclosesocketshutdown$AddressCleanupCloseConcurrency::cancel_current_taskCurrentModuleProcProcessUnothrow_t@std@@@__ehfuncinfo$??2@
                                                                                                                                                                                            • String ID: drthdrthdrthdr hrtd hr$"$#@#^@#TGRERTERYERY$($$(?$)4$/+$0:$1$4$45 hgfch rtdyt gfch$6$$69$<$$<3$?'$PnE$ewetwertyer eytdryrtdy$h0u$hHBT$hK<$hXCT$hhCT$hxCT$jjj$jjj$ntdll.dll$pt$pt$pt$td ydrthrhfty$0w$3f$S2$[7$wc
                                                                                                                                                                                            • API String ID: 2410146291-2344865644
                                                                                                                                                                                            • Opcode ID: 875fde1e0b677f64485a8b47dddb4892b6867e61e92a1a5bb6012f405d97af48
                                                                                                                                                                                            • Instruction ID: 6c641780734558e821d7ba720d099a6b6e2cbdf30005073ce3c1c43e9fa6c162
                                                                                                                                                                                            • Opcode Fuzzy Hash: 875fde1e0b677f64485a8b47dddb4892b6867e61e92a1a5bb6012f405d97af48
                                                                                                                                                                                            • Instruction Fuzzy Hash: 4043BF30900258DBCB25DF68C855BEEBBB0AF15308F1441DED4456B392EB78AE49CF96
                                                                                                                                                                                            Uniqueness

                                                                                                                                                                                            Uniqueness Score: -1.00%

                                                                                                                                                                                            Function 0040CD50 Relevance: 92.5, APIs: 43, Strings: 9, Instructions: 1490registrytimeprocessCOMMON
                                                                                                                                                                                            Download Yara Rule

                                                                                                                                                                                            Control-flow Graph

                                                                                                                                                                                            • Executed
                                                                                                                                                                                            • Not Executed
                                                                                                                                                                                            control_flow_graph 840 40cd50-40cdfa call 4dd950 call 4621b0 call 469d40 call 4622b0 call 465290 call 4e2a50 853 40ce00-40cf04 call 40af30 call 465290 call 462240 call 402fd0 call 465290 call 462180 call 402fd0 call 4eab9b call 4eb083 call 462150 call 402fd0 call 4622e0 call 402d90 840->853 854 40e3c1-40e43e call 4655d0 call 40ab40 call 40c320 call 4622b0 call 465290 call 4e2a50 840->854 913 40cf07-40cf0c 853->913 879 40e440-40e45c call 465290 call 4ea858 call 4e62d8 854->879 880 40e464-40e51f call 402af0 * 6 854->880 898 40e461 879->898 898->880 913->913 914 40cf0e-40cf7c call 402d00 call 4624e0 RegOpenKeyExA 913->914 919 40cf82-40cfd4 call 462240 RegQueryValueExA 914->919 920 40d008-40d06e call 465290 call 462180 call 402fd0 call 4622e0 call 402d90 914->920 925 40cfd6-40cfdf 919->925 926 40cffc-40d002 RegCloseKey 919->926 938 40d070-40d075 920->938 928 40cfe0-40cfe5 925->928 926->920 928->928 931 40cfe7-40cff7 call 465330 928->931 931->926 938->938 939 40d077-40d0af call 402d00 call 4debe0 GetCurrentHwProfileA 938->939 944 40d0b1-40d0ba 939->944 945 40d0dc-40d325 call 465290 call 462120 call 402fd0 call 40bfc0 call 4622a0 call 40bf20 call 4622a0 * 2 call 469d40 call 469fa0 call 469dd0 call 46d910 call 469dd0 call 46a040 call 402af0 * 7 call 483430 call 465290 call 483210 call 4832e0 939->945 947 40d0c0-40d0c5 944->947 999 40d327-40d348 945->999 1000 40d34f-40d42f call 462120 call 402fd0 call 4debe0 GetModuleHandleExA GetModuleFileNameA call 4620f0 call 402fd0 call 465290 call 4621b0 call 402fd0 945->1000 947->947 949 40d0c7-40d0d7 call 465330 947->949 949->945 999->1000 1017 40d431-40d43b call 465290 1000->1017 1018 40d43d 1000->1018 1020 40d442-40d470 call 462150 call 402fd0 1017->1020 1018->1020 1026 40d472-40d47d call 465290 1020->1026 1027 40d47f 1020->1027 1028 40d486-40d48a 1026->1028 1027->1028 1031 40d498 1028->1031 1032 40d48c-40d496 call 465290 1028->1032 1034 40d49d-40d4e4 call 4620c0 call 402fd0 call 461fa0 1031->1034 1032->1034 1042 40d4e6-40d4e8 1034->1042 1043 40d509-40d542 call 402d90 call 402d00 1034->1043 1045 40d4f0-40d504 call 461e80 1042->1045 1052 40d571-40d578 1043->1052 1053 40d544 1043->1053 1050 40d506 1045->1050 1050->1043 1054 40d57a-40d58f call 4622a0 1052->1054 1055 40d5ab-40d662 call 465290 call 4623f0 call 402fd0 call 461e50 RegOpenKeyExA 1052->1055 1056 40d546-40d54c 1053->1056 1065 40d592-40d597 1054->1065 1077 40d727-40d8e3 call 4debe0 GetComputerNameA call 40cac0 call 465290 call 462450 call 402fd0 call 402af0 call 4debe0 GetUserNameA call 462180 call 402fd0 GetDesktopWindow GetWindowRect call 461e20 call 402fd0 call 4debe0 GetUserDefaultLocaleName 1055->1077 1078 40d668-40d6ba call 462240 RegQueryValueExA 1055->1078 1059 40d55d-40d56c call 466d00 1056->1059 1060 40d54e-40d55a call 4654b0 1056->1060 1059->1056 1069 40d56e 1059->1069 1060->1059 1065->1065 1070 40d599-40d5a6 call 465330 1065->1070 1069->1052 1070->1055 1116 40d8e5-40d918 call 461df0 1077->1116 1117 40d91a-40d960 call 461e20 call 4622b0 1077->1117 1084 40d71b-40d721 RegCloseKey 1078->1084 1085 40d6bc-40d6bf 1078->1085 1084->1077 1087 40d6d1-40d6e1 1085->1087 1088 40d6c1-40d6cf 1085->1088 1090 40d6e5-40d718 call 462540 call 4620c0 call 402fd0 1087->1090 1088->1090 1090->1084 1122 40d963-40d9e4 call 402fd0 call 461dc0 call 4622b0 call 402fd0 call 4debe0 GetKeyboardLayoutList LocalAlloc 1116->1122 1117->1122 1135 40da91-40dc8c GetLocalTime call 461d90 call 402fd0 GetSystemTime call 4debe0 GetTimeZoneInformation TzSpecificLocalTimeToSystemTime call 4623c0 call 402fd0 call 461d60 call 4622b0 call 402fd0 call 4624b0 RegOpenKeyExA 1122->1135 1136 40d9ea-40d9f7 GetKeyboardLayoutList 1122->1136 1169 40dc92-40dce1 call 461d30 RegQueryValueExA 1135->1169 1170 40dd1a-40dd85 GetSystemInfo call 462180 call 402fd0 GlobalMemoryStatusEx 1135->1170 1138 40da88-40da8b LocalFree 1136->1138 1139 40d9fd 1136->1139 1138->1135 1141 40da00-40da1e GetLocaleInfoA 1139->1141 1143 40da20-40da39 call 4622b0 1141->1143 1144 40da3b-40da5b call 462510 1141->1144 1152 40da5e-40da82 call 402fd0 call 4debe0 1143->1152 1144->1152 1152->1138 1152->1141 1175 40dce3-40dd0b call 462180 call 402fd0 1169->1175 1176 40dd0e-40dd14 RegCloseKey 1169->1176 1181 40dd87-40ddc9 call 4620f0 call 402fd0 1170->1181 1182 40ddcc-40de29 call 464480 call 464270 call 4debe0 EnumDisplayDevicesA 1170->1182 1175->1176 1176->1170 1181->1182 1195 40e007-40e056 call 462180 call 4622b0 call 402fd0 CreateToolhelp32Snapshot 1182->1195 1196 40de2f 1182->1196 1214 40e0d3-40e189 call 461d60 call 4622b0 call 402fd0 call 461d00 RegOpenKeyExA 1195->1214 1215 40e05c-40e06c Process32First 1195->1215 1197 40de30-40de51 1196->1197 1199 40df07-40df6e call 461d30 call 402fd0 call 402d90 1197->1199 1200 40de57-40de5f 1197->1200 1226 40df71-40df76 1199->1226 1203 40de64-40de79 call 402d90 1200->1203 1213 40de80-40de85 1203->1213 1213->1213 1217 40de87-40ded3 call 402d00 call 46d8e0 call 402af0 1213->1217 1251 40e31d-40e31e call 4e62d8 1214->1251 1252 40e18f 1214->1252 1219 40e0cc-40e0cd CloseHandle 1215->1219 1220 40e06e-40e07e Process32Next 1215->1220 1245 40ded9-40df01 1217->1245 1246 40dfbc 1217->1246 1219->1214 1220->1219 1224 40e080-40e0b2 call 462480 call 402fd0 1220->1224 1241 40e0b7-40e0ca Process32Next 1224->1241 1226->1226 1230 40df78-40dfba call 402d00 call 46b6b0 call 402af0 1226->1230 1250 40dfbf-40e001 call 4debe0 EnumDisplayDevicesA 1230->1250 1241->1219 1241->1224 1245->1199 1249 40de61 1245->1249 1246->1250 1249->1203 1250->1195 1250->1197 1260 40e323-40e3bd call 4678c0 call 402af0 call 40e760 call 402af0 * 3 1251->1260 1255 40e191-40e1bd RegEnumKeyExA 1252->1255 1258 40e1c3-40e220 call 462510 wsprintfA RegOpenKeyExA 1255->1258 1259 40e308-40e30b 1255->1259 1266 40e305 1258->1266 1267 40e226-40e275 call 462240 RegQueryValueExA 1258->1267 1259->1255 1262 40e311-40e317 RegCloseKey 1259->1262 1260->854 1262->1251 1266->1259 1273 40e27b-40e2bf call 461d60 RegQueryValueExA 1267->1273 1274 40e2fc-40e2ff RegCloseKey 1267->1274 1273->1274 1281 40e2c1-40e2f9 call 462480 call 402fd0 1273->1281 1274->1266 1281->1274
                                                                                                                                                                                            APIs
                                                                                                                                                                                              • Part of subcall function 0040AF30: GetCurrentProcess.KERNEL32(00000000,?,?,0040C4BE), ref: 0040AF3F
                                                                                                                                                                                              • Part of subcall function 0040AF30: IsWow64Process.KERNEL32(00000000,?,0040C4BE), ref: 0040AF46
                                                                                                                                                                                              • Part of subcall function 004EAB9B: GetSystemTimeAsFileTime.KERNEL32(?,?,?,00000000,00000000,?,00403276,00000000,0045DC3C,00000000), ref: 004EABB0
                                                                                                                                                                                              • Part of subcall function 004EAB9B: __ehfuncinfo$??2@YAPAXIABUnothrow_t@std@@@Z.LIBCMT ref: 004EABCF
                                                                                                                                                                                            • RegOpenKeyExA.KERNELBASE(80000002,?,00000000,EE141028,00000000), ref: 0040CF74
                                                                                                                                                                                            • RegQueryValueExA.KERNELBASE(00000000,E81C1F30,00000000,00020019,?,00000400), ref: 0040CFCC
                                                                                                                                                                                            • RegCloseKey.ADVAPI32(00000000), ref: 0040D002
                                                                                                                                                                                            • GetCurrentHwProfileA.ADVAPI32(?), ref: 0040D0A7
                                                                                                                                                                                            • GetModuleHandleExA.KERNEL32(00000004,Function_0000BD20,00000000,?,?,?,?,?,?,00000000,00000000), ref: 0040D3A8
                                                                                                                                                                                            • GetModuleFileNameA.KERNEL32(00000000,?,00000104,?,?,?,?,?,?,00000000,00000000), ref: 0040D3BD
                                                                                                                                                                                            • RegOpenKeyExA.KERNELBASE(80000002,?,00000000,EE141028,00000000), ref: 0040D65A
                                                                                                                                                                                            • RegQueryValueExA.KERNELBASE(00000000,E4100C2D,00000000,00020019,?,00000400), ref: 0040D6B2
                                                                                                                                                                                            • RegCloseKey.ADVAPI32(00000000), ref: 0040D721
                                                                                                                                                                                            • GetComputerNameA.KERNEL32(?,00000104), ref: 0040D755
                                                                                                                                                                                            • GetUserNameA.ADVAPI32(?,00000104), ref: 0040D80F
                                                                                                                                                                                            • GetDesktopWindow.USER32 ref: 0040D840
                                                                                                                                                                                            • GetWindowRect.USER32(00000000,?), ref: 0040D84E
                                                                                                                                                                                            • GetUserDefaultLocaleName.KERNEL32(?,00000200), ref: 0040D8CD
                                                                                                                                                                                            • GetKeyboardLayoutList.USER32(00000000,00000000), ref: 0040D9CA
                                                                                                                                                                                            • LocalAlloc.KERNEL32(00000040), ref: 0040D9D9
                                                                                                                                                                                            • GetKeyboardLayoutList.USER32(?,00000000), ref: 0040D9EE
                                                                                                                                                                                            • GetLocaleInfoA.KERNEL32(?,00000002,?,00000200), ref: 0040DA16
                                                                                                                                                                                            • LocalFree.KERNEL32(EE141028), ref: 0040DA8B
                                                                                                                                                                                            • GetLocalTime.KERNEL32(?), ref: 0040DAA2
                                                                                                                                                                                            • GetSystemTime.KERNEL32(?), ref: 0040DB30
                                                                                                                                                                                            • GetTimeZoneInformation.KERNELBASE(?), ref: 0040DB53
                                                                                                                                                                                            • TzSpecificLocalTimeToSystemTime.KERNELBASE(?,?,?), ref: 0040DB78
                                                                                                                                                                                            • RegOpenKeyExA.KERNELBASE(80000002,?,00000000,00020019,00000000), ref: 0040DC84
                                                                                                                                                                                            • RegQueryValueExA.KERNELBASE(00000000,?,00000000,00020019,?,00000400), ref: 0040DCD9
                                                                                                                                                                                            • RegCloseKey.ADVAPI32(00000000), ref: 0040DD14
                                                                                                                                                                                            • GetSystemInfo.KERNELBASE(?), ref: 0040DD3C
                                                                                                                                                                                            • GlobalMemoryStatusEx.KERNELBASE(00000040), ref: 0040DD7D
                                                                                                                                                                                            • EnumDisplayDevicesA.USER32(00000000,00000000,?,00000001), ref: 0040DE21
                                                                                                                                                                                            • EnumDisplayDevicesA.USER32(00000000,00000001,?,00000001), ref: 0040DFF9
                                                                                                                                                                                            • CreateToolhelp32Snapshot.KERNEL32(00000002,00000000), ref: 0040E04C
                                                                                                                                                                                            • Process32First.KERNEL32(00000000,00000128), ref: 0040E064
                                                                                                                                                                                            • Process32Next.KERNEL32(00000000,00000128), ref: 0040E076
                                                                                                                                                                                            • Process32Next.KERNEL32(00000000,?), ref: 0040E0C2
                                                                                                                                                                                            • CloseHandle.KERNEL32(00000000), ref: 0040E0CD
                                                                                                                                                                                            • RegOpenKeyExA.KERNELBASE(80000002,?,00000000,00020019,?), ref: 0040E181
                                                                                                                                                                                            • RegEnumKeyExA.KERNELBASE(00000000,00000000,?,01000D58,00000000,00000000,00000000,00000000), ref: 0040E1B2
                                                                                                                                                                                            • wsprintfA.USER32 ref: 0040E1F8
                                                                                                                                                                                            • RegOpenKeyExA.KERNELBASE(80000002,?,00000000,00020019,01000D58), ref: 0040E218
                                                                                                                                                                                            • RegQueryValueExA.KERNELBASE(01000D58,F00C1739,00000000,000F003F,?,00000400), ref: 0040E26D
                                                                                                                                                                                            • RegQueryValueExA.KERNELBASE(01000D58,F00C1739,00000000,000F003F,?,00000400), ref: 0040E2B7
                                                                                                                                                                                            • RegCloseKey.ADVAPI32(01000D58), ref: 0040E2FF
                                                                                                                                                                                            • RegCloseKey.ADVAPI32(00000000), ref: 0040E317
                                                                                                                                                                                            Strings
                                                                                                                                                                                            Memory Dump Source
                                                                                                                                                                                            • Source File: 00000000.00000002.2499170949.0000000000400000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                                                            Joe Sandbox IDA Plugin
                                                                                                                                                                                            • Snapshot File: hcaresult_0_2_400000_dendy.jbxd
                                                                                                                                                                                            Yara matches
                                                                                                                                                                                            Similarity
                                                                                                                                                                                            • API ID: Time$Close$OpenQueryValue$LocalNameSystem$EnumProcess32$CurrentDevicesDisplayFileHandleInfoKeyboardLayoutListLocaleModuleNextProcessUserWindow$AllocComputerCreateDefaultDesktopFirstFreeGlobalInformationMemoryProfileRectSnapshotSpecificStatusToolhelp32Unothrow_t@std@@@Wow64Zone__ehfuncinfo$??2@wsprintf
                                                                                                                                                                                            • String ID: "$?$@$@$P$X$X$b$pt/
                                                                                                                                                                                            • API String ID: 3690012277-2877099211
                                                                                                                                                                                            • Opcode ID: ff3135fc719a78f5270d7665580d88a305c6dcacea43571ddee4e838c0b3e866
                                                                                                                                                                                            • Instruction ID: 5f0dfbe202ebed62e8e1fc962ad7b47538b82224645736a3c109de223eb16045
                                                                                                                                                                                            • Opcode Fuzzy Hash: ff3135fc719a78f5270d7665580d88a305c6dcacea43571ddee4e838c0b3e866
                                                                                                                                                                                            • Instruction Fuzzy Hash: ACE29071C0025DDADB11DBA4CC45BEEB7B8BF15308F00419AE549B7292EBB81B89CF65
                                                                                                                                                                                            Uniqueness

                                                                                                                                                                                            Uniqueness Score: -1.00%

                                                                                                                                                                                            Function 00442940 Relevance: 87.1, APIs: 40, Strings: 8, Instructions: 3075fileCOMMON
                                                                                                                                                                                            Download Yara Rule
                                                                                                                                                                                            APIs
                                                                                                                                                                                            • CreateDirectoryA.KERNELBASE(00000000,00000000,00000000), ref: 00442C53
                                                                                                                                                                                            • CreateDirectoryA.KERNELBASE(00000000,00000000), ref: 00442CAF
                                                                                                                                                                                            • CopyFileA.KERNEL32(00000000,00000000,00000000), ref: 004434EF
                                                                                                                                                                                            • CopyFileA.KERNEL32(00000000,00000000,00000000), ref: 00443639
                                                                                                                                                                                            • CreateDirectoryA.KERNELBASE(00000000,00000000), ref: 004436EF
                                                                                                                                                                                            • CopyFileA.KERNEL32(00000000,00000000,00000000), ref: 0044383A
                                                                                                                                                                                            • CreateDirectoryA.KERNELBASE(00000000,00000000), ref: 004438D6
                                                                                                                                                                                            • CopyFileA.KERNEL32(00000000,00000000,00000000), ref: 00443A09
                                                                                                                                                                                            • CreateDirectoryA.KERNELBASE(00000000,00000000), ref: 00443AA4
                                                                                                                                                                                            • CopyFileA.KERNEL32(00000000,00000000,00000000), ref: 00443BFE
                                                                                                                                                                                            • CreateDirectoryA.KERNELBASE(00000000,00000000), ref: 00443C97
                                                                                                                                                                                            • CopyFileA.KERNEL32(00000000,00000000,00000000), ref: 00443ED8
                                                                                                                                                                                            • CreateDirectoryA.KERNELBASE(00000000,00000000), ref: 00444039
                                                                                                                                                                                            • CopyFileA.KERNEL32(00000000,00000000,00000000), ref: 00444292
                                                                                                                                                                                            • CreateDirectoryA.KERNEL32(00000000,00000000,?,?,00000000), ref: 00444416
                                                                                                                                                                                            • CreateDirectoryA.KERNELBASE(00000000,00000000), ref: 0044483E
                                                                                                                                                                                            • CreateDirectoryA.KERNELBASE(00000000,00000000), ref: 00444898
                                                                                                                                                                                            • CreateDirectoryA.KERNELBASE(00000000,00000000), ref: 00444A1E
                                                                                                                                                                                            • CreateDirectoryA.KERNELBASE(00000000,00000000), ref: 00444CE4
                                                                                                                                                                                            • CreateDirectoryA.KERNEL32(00000000,00000000), ref: 00444E4E
                                                                                                                                                                                            • CreateDirectoryA.KERNELBASE(00000000,00000000), ref: 00444B76
                                                                                                                                                                                              • Part of subcall function 0040B1A0: std::_Throw_Cpp_error.LIBCPMT ref: 0040B24F
                                                                                                                                                                                              • Part of subcall function 0040B1A0: std::_Throw_Cpp_error.LIBCPMT ref: 0040B260
                                                                                                                                                                                            • CreateDirectoryA.KERNELBASE(00000000,00000000), ref: 00445C65
                                                                                                                                                                                            • CreateDirectoryA.KERNELBASE(00000000,00000000), ref: 00445CC0
                                                                                                                                                                                            • CopyFileA.KERNEL32(00000000,00000000,00000000), ref: 0044337F
                                                                                                                                                                                              • Part of subcall function 0040E7B0: FindFirstFileA.KERNEL32(00000000,AA515422,?,AA515421,00445E27,00000000,AA515421,AA515422,74DF3100,?), ref: 0040E929
                                                                                                                                                                                            • SHGetFolderPathA.SHELL32(00000000,0000001A,00000000,00000000,?), ref: 00442CE0
                                                                                                                                                                                              • Part of subcall function 0040B1A0: GetFileAttributesA.KERNELBASE(00000000,?,?,0045E8D7,00000000,00000000,?,00000000), ref: 0040B1FC
                                                                                                                                                                                              • Part of subcall function 0040B1A0: GetLastError.KERNEL32(?,0045E8D7,00000000,00000000,?,00000000), ref: 0040B207
                                                                                                                                                                                            • CreateDirectoryA.KERNELBASE(00000000,00000000), ref: 00442E08
                                                                                                                                                                                            • SHGetFolderPathA.SHELL32(00000000,0000001A,00000000,00000000,?), ref: 00442E37
                                                                                                                                                                                            • CopyFileA.KERNEL32(00000000,00000000,00000000), ref: 00442F2F
                                                                                                                                                                                            • CreateDirectoryA.KERNELBASE(00000000,00000000), ref: 00443029
                                                                                                                                                                                            • CreateDirectoryA.KERNELBASE(00000000,00000000), ref: 00443087
                                                                                                                                                                                            • CopyFileA.KERNEL32(00000000,00000000,00000000), ref: 004431B8
                                                                                                                                                                                            • CreateDirectoryA.KERNELBASE(00000000,00000000), ref: 0044324A
                                                                                                                                                                                            Strings
                                                                                                                                                                                            Memory Dump Source
                                                                                                                                                                                            • Source File: 00000000.00000002.2499170949.0000000000400000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                                                            Joe Sandbox IDA Plugin
                                                                                                                                                                                            • Snapshot File: hcaresult_0_2_400000_dendy.jbxd
                                                                                                                                                                                            Yara matches
                                                                                                                                                                                            Similarity
                                                                                                                                                                                            • API ID: CreateDirectory$File$Copy$Cpp_errorFolderPathThrow_std::_$AttributesErrorFindFirstLast
                                                                                                                                                                                            • String ID: !$!$!$!*3$!2$!9$+$_
                                                                                                                                                                                            • API String ID: 2574188035-3231385310
                                                                                                                                                                                            • Opcode ID: 90ea648ec7e5144d9d7e51a02eab93e2dfaacc108a9fdab915825b38430a0943
                                                                                                                                                                                            • Instruction ID: 025911db0c563e97186e133afa2aa293af237d43ae1464fea8b21352b95799e4
                                                                                                                                                                                            • Opcode Fuzzy Hash: 90ea648ec7e5144d9d7e51a02eab93e2dfaacc108a9fdab915825b38430a0943
                                                                                                                                                                                            • Instruction Fuzzy Hash: FE637D70C04298DADB21EBA5CD557DEBB74AF21308F4441DAD449772C2EBB81B88CF96
                                                                                                                                                                                            Uniqueness

                                                                                                                                                                                            Uniqueness Score: -1.00%

                                                                                                                                                                                            Function 00446020 Relevance: 71.3, APIs: 13, Strings: 26, Instructions: 3085registryfilecomCOMMON
                                                                                                                                                                                            Download Yara Rule
                                                                                                                                                                                            APIs
                                                                                                                                                                                              • Part of subcall function 0040B1A0: GetFileAttributesA.KERNELBASE(00000000,?,?,0045E8D7,00000000,00000000,?,00000000), ref: 0040B1FC
                                                                                                                                                                                              • Part of subcall function 0040B1A0: GetLastError.KERNEL32(?,0045E8D7,00000000,00000000,?,00000000), ref: 0040B207
                                                                                                                                                                                            • CopyFileA.KERNEL32(00000000,00000000,00000000), ref: 004485E3
                                                                                                                                                                                            • RegSetValueExA.ADVAPI32(?,00000000,00000000,00000001,00000000,00000000,?,?), ref: 004486E2
                                                                                                                                                                                            • RegCloseKey.ADVAPI32(?,?,?), ref: 0044870C
                                                                                                                                                                                            • CopyFileA.KERNEL32(00000000,00000000,00000000), ref: 00448973
                                                                                                                                                                                            • GetUserNameA.ADVAPI32(?,00000104), ref: 004489A9
                                                                                                                                                                                              • Part of subcall function 004160B0: GetModuleHandleA.KERNEL32(EE0D1B36,?), ref: 00416186
                                                                                                                                                                                              • Part of subcall function 004160B0: GetProcAddress.KERNEL32(00000000,E11A0C3E), ref: 00416191
                                                                                                                                                                                              • Part of subcall function 004160B0: CreateProcessA.KERNELBASE(00000000,?,00000000,00000000,00000000,00000000,00000000,00000000,00000044,?), ref: 004161E1
                                                                                                                                                                                            • RegOpenKeyExA.ADVAPI32(80000001,00000000,00000000,00020006), ref: 0044865A
                                                                                                                                                                                              • Part of subcall function 00415E30: GetFileAttributesA.KERNELBASE(?,7FFFFFFF), ref: 00415EDC
                                                                                                                                                                                            • CopyFileA.KERNEL32(00000000,00000000,00000000), ref: 004490D9
                                                                                                                                                                                            • SHGetFolderPathA.SHELL32(00000000,00000007,00000000,00000000,?), ref: 004490F6
                                                                                                                                                                                            • CoInitialize.OLE32(00000000), ref: 004491DD
                                                                                                                                                                                            • CoCreateInstance.OLE32(Function_00115570,00000000,00000001,Function_00115540,?), ref: 004491FD
                                                                                                                                                                                            • MultiByteToWideChar.KERNEL32(00000000,00000000,00000000,000000FF,?,00000104), ref: 00449289
                                                                                                                                                                                            • CoUninitialize.OLE32 ref: 004492B9
                                                                                                                                                                                            • ShellExecuteA.SHELL32(00000000,EE1A0E12,00000000,00000000,00000000,00000001), ref: 00449327
                                                                                                                                                                                            Strings
                                                                                                                                                                                            Memory Dump Source
                                                                                                                                                                                            • Source File: 00000000.00000002.2499170949.0000000000400000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                                                            Joe Sandbox IDA Plugin
                                                                                                                                                                                            • Snapshot File: hcaresult_0_2_400000_dendy.jbxd
                                                                                                                                                                                            Yara matches
                                                                                                                                                                                            Similarity
                                                                                                                                                                                            • API ID: File$Copy$AttributesCreate$AddressByteCharCloseErrorExecuteFolderHandleInitializeInstanceLastModuleMultiNameOpenPathProcProcessShellUninitializeUserValueWide
                                                                                                                                                                                            • String ID: $!$!$!$!$!$!$!$!$"$"$"$"$"$"$Q$Q$Q$Q$Q$S$S$S$S$]$]
                                                                                                                                                                                            • API String ID: 28878968-1574997588
                                                                                                                                                                                            • Opcode ID: eb3c67ee43f5d0ba5e937f94368f7f9067faab96f8ee18e0c941c97c20be299e
                                                                                                                                                                                            • Instruction ID: 139baba76caebeb6474e4cab1ec68c198fad151c4d689f4ddca6dd48a2d49319
                                                                                                                                                                                            • Opcode Fuzzy Hash: eb3c67ee43f5d0ba5e937f94368f7f9067faab96f8ee18e0c941c97c20be299e
                                                                                                                                                                                            • Instruction Fuzzy Hash: 00639A70D042689ADB24EB64CD55BDEBBB4AF11308F0441DAE449772D2EB781F88CF96
                                                                                                                                                                                            Uniqueness

                                                                                                                                                                                            Uniqueness Score: -1.00%

                                                                                                                                                                                            Function 0045E5D4 Relevance: 49.4, APIs: 16, Strings: 12, Instructions: 450sleepthreadCOMMON
                                                                                                                                                                                            Download Yara Rule

                                                                                                                                                                                            Control-flow Graph

                                                                                                                                                                                            • Executed
                                                                                                                                                                                            • Not Executed
                                                                                                                                                                                            control_flow_graph 5069 45e5d4-45e634 call 40ab30 call 4029f0 call 4655d0 call 40b740 call 464230 5080 45e666-45e698 call 464330 CreateThread FindCloseChangeNotification 5069->5080 5081 45e636-45e661 call 464210 call 4654b0 call 464210 call 4654b0 5069->5081 5086 45e747-45e771 call 40ab00 call 4029f0 5080->5086 5087 45e69e 5080->5087 5081->5080 5102 45e777-45e780 5086->5102 5090 45e6a0-45e6ac GetPEB 5087->5090 5093 45e6b0-45e6cf 5090->5093 5097 45e6d1-45e6d6 5093->5097 5098 45e719-45e71b 5093->5098 5097->5098 5101 45e6d8-45e6de 5097->5101 5098->5093 5103 45e6e0-45e6f3 5101->5103 5102->5102 5104 45e782-45e8d9 GetTempPathA call 40b9f0 call 409250 call 4029f0 call 469f00 call 469fa0 call 4654e0 call 402990 * 3 call 409250 call 4029f0 call 469f00 call 469fa0 call 402990 * 2 call 465290 call 40b1a0 5102->5104 5105 45e6f5-45e708 5103->5105 5106 45e712-45e717 5103->5106 5143 45e8ec-45e900 call 465290 call 40b1a0 5104->5143 5144 45e8db-45e8e9 call 40b300 5104->5144 5105->5105 5108 45e70a-45e710 5105->5108 5106->5098 5106->5103 5108->5106 5110 45e71d-45e741 Sleep 5108->5110 5110->5086 5110->5090 5151 45e914-45e931 call 465290 CreateDirectoryA 5143->5151 5152 45e902-45e911 call 40b300 5143->5152 5144->5143 5157 45e945-45e957 call 465290 CreateDirectoryA 5151->5157 5158 45e933-45e93f call 415e30 5151->5158 5152->5151 5164 45e9d3-45e9ee call 465290 GetPEB 5157->5164 5165 45e959-45e993 __ehfuncinfo$??2@YAPAXIABUnothrow_t@std@@@Z 5157->5165 5158->5157 5163 460fa5-4610f8 OutputDebugStringA call 462d20 * 6 call 4655d0 call 418ee0 call 409940 call 469e70 call 465290 CreateMutexA call 402990 GetLastError 5158->5163 5213 4610fe-461170 Sleep call 40e580 call 4029f0 call 41e5f0 5163->5213 5214 4611db-461241 call 402af0 * 3 5163->5214 5177 45e9f0-45ea0f 5164->5177 5168 45e9a5-45e9a7 5165->5168 5169 45e995-45e99f 5165->5169 5170 45e9bd-45e9c0 5168->5170 5171 45e9a9 5168->5171 5169->5168 5176 45e9c8-45e9ce call 415e30 5170->5176 5171->5170 5174 45e9ab-45e9b1 5171->5174 5174->5170 5178 45e9b3-45e9b5 5174->5178 5176->5164 5181 45ea11-45ea16 5177->5181 5182 45ea5c-45ea5e 5177->5182 5178->5176 5183 45e9b7 5178->5183 5181->5182 5185 45ea18-45ea21 5181->5185 5182->5163 5182->5177 5183->5170 5186 45e9b9-45e9bb 5183->5186 5188 45ea23-45ea36 5185->5188 5186->5170 5186->5176 5190 45ea55-45ea5a 5188->5190 5191 45ea38-45ea4b 5188->5191 5190->5182 5190->5188 5191->5191 5192 45ea4d-45ea53 5191->5192 5192->5190 5228 461195-4611cc Sleep shutdown closesocket 5213->5228 5229 461172-461193 Sleep 5213->5229 5230 461243 call 403be0 5214->5230 5231 461248-461283 call 402af0 5214->5231 5228->5214 5235 4611ce-4611d0 5228->5235 5229->5228 5229->5229 5230->5231 5235->5214 5237 4611d2-4611d9 Sleep 5235->5237 5237->5237
                                                                                                                                                                                            APIs
                                                                                                                                                                                            • CreateThread.KERNELBASE(00000000,00000000,0041E220,00000000,00000000,00000000), ref: 0045E684
                                                                                                                                                                                            • FindCloseChangeNotification.KERNELBASE(00000000), ref: 0045E68B
                                                                                                                                                                                            • Sleep.KERNELBASE(00000001), ref: 0045E738
                                                                                                                                                                                            • GetTempPathA.KERNEL32(000000FB,?,00000000), ref: 0045E78E
                                                                                                                                                                                              • Part of subcall function 0040B1A0: GetFileAttributesA.KERNELBASE(00000000,?,?,0045E8D7,00000000,00000000,?,00000000), ref: 0040B1FC
                                                                                                                                                                                              • Part of subcall function 0040B1A0: GetLastError.KERNEL32(?,0045E8D7,00000000,00000000,?,00000000), ref: 0040B207
                                                                                                                                                                                            • CreateDirectoryA.KERNELBASE(00000000,00000000,00000000,00000000,?,00000000), ref: 0045E927
                                                                                                                                                                                            • CreateDirectoryA.KERNELBASE(00000000,00000000,?,00000000), ref: 0045E953
                                                                                                                                                                                            • __ehfuncinfo$??2@YAPAXIABUnothrow_t@std@@@Z.LIBCMT ref: 0045E96A
                                                                                                                                                                                            Strings
                                                                                                                                                                                            Memory Dump Source
                                                                                                                                                                                            • Source File: 00000000.00000002.2499170949.0000000000400000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                                                            Joe Sandbox IDA Plugin
                                                                                                                                                                                            • Snapshot File: hcaresult_0_2_400000_dendy.jbxd
                                                                                                                                                                                            Yara matches
                                                                                                                                                                                            Similarity
                                                                                                                                                                                            • API ID: Create$Directory$AttributesChangeCloseErrorFileFindLastNotificationPathSleepTempThreadUnothrow_t@std@@@__ehfuncinfo$??2@
                                                                                                                                                                                            • String ID: drthdrthdrthdr hrtd hr$'$$G$PnE$h0u$hHBT$hXCT$hhCT$hxCT$jjj$>i$pi
                                                                                                                                                                                            • API String ID: 2868636072-2408573651
                                                                                                                                                                                            • Opcode ID: 528529b8c08875bfe406a238d9223f4ea08e23f5f7d8b4d7c99976c2826d5508
                                                                                                                                                                                            • Instruction ID: 6e5cd99d858afc9114efc19baa8da0ef7fd2211a61123bf09def4f2b3c7b9294
                                                                                                                                                                                            • Opcode Fuzzy Hash: 528529b8c08875bfe406a238d9223f4ea08e23f5f7d8b4d7c99976c2826d5508
                                                                                                                                                                                            • Instruction Fuzzy Hash: AB121430A00248CBCB18EB69CC55BDEBB71AF55308F1441DED9056B2D2EB785F48CB9A
                                                                                                                                                                                            Uniqueness

                                                                                                                                                                                            Uniqueness Score: -1.00%

                                                                                                                                                                                            Function 0045CC40 Relevance: 33.9, APIs: 10, Strings: 9, Instructions: 688COMMON
                                                                                                                                                                                            Download Yara Rule

                                                                                                                                                                                            Control-flow Graph

                                                                                                                                                                                            • Executed
                                                                                                                                                                                            • Not Executed
                                                                                                                                                                                            control_flow_graph 5767 45cc40-45cce6 call 442bc0 call 40e580 call 469d40 CreateDirectoryA 5774 45ccec-45ccf0 5767->5774 5775 45d16e-45d175 5767->5775 5778 45ccf2-45cd17 5774->5778 5776 45d66c-45d694 call 402af0 5775->5776 5777 45d17b-45d1cc call 40e580 call 469d40 CreateDirectoryA 5775->5777 5794 45d1d2-45d1d6 5777->5794 5795 45d65d-45d667 call 402af0 5777->5795 5781 45d130-45d15d call 4655d0 call 40edc0 5778->5781 5782 45cd1d-45cda4 call 4655d0 * 4 5778->5782 5781->5775 5800 45d15f-45d166 call 40b300 5781->5800 5813 45cda6-45cdaf 5782->5813 5798 45d1d8-45d1fd 5794->5798 5795->5776 5802 45d203-45d2dd call 4655d0 * 4 call 40ab30 call 469d40 call 469fa0 call 402af0 call 40b1a0 5798->5802 5803 45d61f-45d64c call 4655d0 call 4103c0 5798->5803 5808 45d16b 5800->5808 5858 45d2f7-45d301 5802->5858 5859 45d2df-45d2f1 CreateDirectoryA 5802->5859 5803->5795 5819 45d64e-45d655 call 40b300 5803->5819 5808->5775 5816 45cdb1-45cdbe 5813->5816 5817 45cdc0-45ce12 call 469d40 call 469fa0 call 402af0 call 40b1a0 5813->5817 5816->5813 5838 45ce14-45ce26 CreateDirectoryA 5817->5838 5839 45ce2c-45cea5 call 40ab30 call 469d40 call 469fa0 call 4654e0 call 402af0 * 2 call 40b1a0 5817->5839 5825 45d65a 5819->5825 5825->5795 5838->5839 5841 45d0e2-45d12b call 402af0 * 5 5838->5841 5890 45cea7-45ceb9 CreateDirectoryA 5839->5890 5891 45cebf-45cec6 5839->5891 5841->5778 5863 45d303-45d30c 5858->5863 5859->5858 5862 45d5d1-45d61a call 402af0 * 5 5859->5862 5862->5798 5867 45d31d-45d38b call 469d40 call 469fa0 call 4654e0 call 402af0 * 2 call 40b1a0 5863->5867 5868 45d30e-45d31b 5863->5868 5919 45d3a5-45d3ac 5867->5919 5920 45d38d-45d39f CreateDirectoryA 5867->5920 5868->5863 5890->5841 5890->5891 5894 45cecc-45cf32 call 40ab30 call 469d40 call 469fa0 call 402af0 call 40b1a0 5891->5894 5895 45cf6f-45cf73 5891->5895 5949 45cf34-45cf4f CreateDirectoryA 5894->5949 5950 45cf51-45cf5b call 4654b0 5894->5950 5899 45cf75-45cf9b call 4097d0 5895->5899 5900 45cf9d-45cfa1 5895->5900 5914 45cfd5-45cff1 call 4029f0 5899->5914 5906 45cfa3-45cfba call 40aaa0 5900->5906 5907 45cfbc-45cfd0 call 409250 5900->5907 5906->5914 5907->5914 5925 45cff3-45cffc 5914->5925 5923 45d470-45d474 5919->5923 5924 45d3b2-45d3bc 5919->5924 5920->5862 5920->5919 5928 45d4a7-45d4ab 5923->5928 5929 45d476-45d4a5 call 4097d0 5923->5929 5927 45d3be-45d3c7 5924->5927 5931 45d00d-45d084 call 469d40 call 46a040 call 4654e0 call 402af0 * 3 call 40b1a0 5925->5931 5932 45cffe-45d00b 5925->5932 5936 45d3c9-45d3d6 5927->5936 5937 45d3d8-45d433 call 469d40 call 469fa0 call 402af0 call 40b1a0 5927->5937 5933 45d4c6-45d4da call 409250 5928->5933 5934 45d4ad-45d4c4 call 40aaa0 5928->5934 5944 45d4df-45d573 call 4029f0 call 40ab30 call 469d40 call 46a040 call 4654e0 call 402af0 * 3 call 40b1a0 5929->5944 5989 45d086-45d098 CreateDirectoryA 5931->5989 5990 45d09a-45d0dc call 4655d0 * 2 call 40e7b0 5931->5990 5932->5925 5933->5944 5934->5944 5936->5927 5972 45d435-45d450 CreateDirectoryA 5937->5972 5973 45d452-45d45c call 4654b0 5937->5973 6003 45d575-45d587 CreateDirectoryA 5944->6003 6004 45d589-45d5cb call 4655d0 * 2 call 40e7b0 5944->6004 5949->5950 5954 45cf60-45cf6a call 402af0 5949->5954 5950->5954 5954->5895 5972->5973 5977 45d461-45d46b call 402af0 5972->5977 5973->5977 5977->5923 5989->5841 5989->5990 5990->5841 6005 45d0de 5990->6005 6003->5862 6003->6004 6004->5862 6012 45d5cd 6004->6012 6005->5841 6012->5862
                                                                                                                                                                                            APIs
                                                                                                                                                                                              • Part of subcall function 00442BC0: CreateDirectoryA.KERNELBASE(00000000,00000000,00000000), ref: 00442C53
                                                                                                                                                                                              • Part of subcall function 00442BC0: CreateDirectoryA.KERNELBASE(00000000,00000000), ref: 00442CAF
                                                                                                                                                                                              • Part of subcall function 00442BC0: SHGetFolderPathA.SHELL32(00000000,0000001A,00000000,00000000,?), ref: 00442CE0
                                                                                                                                                                                            • CreateDirectoryA.KERNELBASE(?,00000000), ref: 0045CCE2
                                                                                                                                                                                            • CreateDirectoryA.KERNEL32(?,00000000,-00000034,-0000004C), ref: 0045CE22
                                                                                                                                                                                            • CreateDirectoryA.KERNEL32(?,00000000,00000000,?,?,-00000034,-0000004C), ref: 0045CEB5
                                                                                                                                                                                            • CreateDirectoryA.KERNEL32(?,00000000,?,00000000,?,?,-00000034,-0000004C), ref: 0045CF4B
                                                                                                                                                                                            • CreateDirectoryA.KERNEL32(?,00000000,00000000,00000000,00000000,?,?,-00000034,-0000004C), ref: 0045D094
                                                                                                                                                                                            • CreateDirectoryA.KERNELBASE(?,00000000), ref: 0045D1C8
                                                                                                                                                                                            • CreateDirectoryA.KERNEL32(?,00000000,-00000034,-0000004C), ref: 0045D2ED
                                                                                                                                                                                            • CreateDirectoryA.KERNEL32(?,00000000,00000000,?,?,-00000034,-0000004C), ref: 0045D39B
                                                                                                                                                                                            • CreateDirectoryA.KERNEL32(?,00000000,?,00000000,?,?,-00000034,-0000004C), ref: 0045D44C
                                                                                                                                                                                            • CreateDirectoryA.KERNEL32(?,00000000,00000000,00000000,00000000,?,?,-00000034,-0000004C), ref: 0045D583
                                                                                                                                                                                            Strings
                                                                                                                                                                                            Memory Dump Source
                                                                                                                                                                                            • Source File: 00000000.00000002.2499170949.0000000000400000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                                                            Joe Sandbox IDA Plugin
                                                                                                                                                                                            • Snapshot File: hcaresult_0_2_400000_dendy.jbxd
                                                                                                                                                                                            Yara matches
                                                                                                                                                                                            Similarity
                                                                                                                                                                                            • API ID: CreateDirectory$FolderPath
                                                                                                                                                                                            • String ID: !$!$!$!$!$!$!$!$&
                                                                                                                                                                                            • API String ID: 2162323195-3870512404
                                                                                                                                                                                            • Opcode ID: b2431186a464716f6764598b4976cd052f309564fbbaf73e648e8f439ff1bff5
                                                                                                                                                                                            • Instruction ID: 98fd23d24cb48da29d058820bf00fed71ec261f9da1009b6e8183a7bb0bc2d35
                                                                                                                                                                                            • Opcode Fuzzy Hash: b2431186a464716f6764598b4976cd052f309564fbbaf73e648e8f439ff1bff5
                                                                                                                                                                                            • Instruction Fuzzy Hash: B762B131D0428CDEDB10DBA4C955BDEBBB4AF21308F5400AEE44577282EBB85F89DB56
                                                                                                                                                                                            Uniqueness

                                                                                                                                                                                            Uniqueness Score: -1.00%

                                                                                                                                                                                            Function 00458520 Relevance: 33.2, APIs: 3, Strings: 15, Instructions: 1711COMMON
                                                                                                                                                                                            Download Yara Rule
                                                                                                                                                                                            APIs
                                                                                                                                                                                              • Part of subcall function 0040B1A0: GetFileAttributesA.KERNELBASE(00000000,?,?,0045E8D7,00000000,00000000,?,00000000), ref: 0040B1FC
                                                                                                                                                                                              • Part of subcall function 0040B1A0: GetLastError.KERNEL32(?,0045E8D7,00000000,00000000,?,00000000), ref: 0040B207
                                                                                                                                                                                              • Part of subcall function 0040B270: CreateDirectoryA.KERNELBASE(?,00000000,00000005,?,?,0045E8D7,00000000,00000000,?,00000000), ref: 0040B2B5
                                                                                                                                                                                              • Part of subcall function 0040B1A0: std::_Throw_Cpp_error.LIBCPMT ref: 0040B24F
                                                                                                                                                                                              • Part of subcall function 0040B1A0: std::_Throw_Cpp_error.LIBCPMT ref: 0040B260
                                                                                                                                                                                            • CreateDirectoryA.KERNELBASE(?,00000000), ref: 00459B2F
                                                                                                                                                                                            • CreateDirectoryA.KERNEL32(?,00000000,00000000,?), ref: 00459CDC
                                                                                                                                                                                            • CreateDirectoryA.KERNEL32(?,00000000,00000000,?), ref: 00459DA2
                                                                                                                                                                                            Strings
                                                                                                                                                                                            Memory Dump Source
                                                                                                                                                                                            • Source File: 00000000.00000002.2499170949.0000000000400000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                                                            Joe Sandbox IDA Plugin
                                                                                                                                                                                            • Snapshot File: hcaresult_0_2_400000_dendy.jbxd
                                                                                                                                                                                            Yara matches
                                                                                                                                                                                            Similarity
                                                                                                                                                                                            • API ID: CreateDirectory$Cpp_errorThrow_std::_$AttributesErrorFileLast
                                                                                                                                                                                            • String ID: !$!$!$!$!$!$!$!$!$!<$!<$"$"$"$"
                                                                                                                                                                                            • API String ID: 453214671-3335657276
                                                                                                                                                                                            • Opcode ID: a7a9c483997c18c838695e24effe8083b9d73f7fd635aff4d7b3a7e21d12edc3
                                                                                                                                                                                            • Instruction ID: c5f7a8c617223072bfb1229ec1c2afc80d8dcdf8a08cc0219ebc6f95682f2529
                                                                                                                                                                                            • Opcode Fuzzy Hash: a7a9c483997c18c838695e24effe8083b9d73f7fd635aff4d7b3a7e21d12edc3
                                                                                                                                                                                            • Instruction Fuzzy Hash: 3B037B70904298DEDB25EB64C9597DEBBB4AF11308F0440DED44977292EBB81F88CF5A
                                                                                                                                                                                            Uniqueness

                                                                                                                                                                                            Uniqueness Score: -1.00%

                                                                                                                                                                                            Function 00428180 Relevance: 31.4, APIs: 2, Strings: 14, Instructions: 3351COMMON
                                                                                                                                                                                            Download Yara Rule
                                                                                                                                                                                            APIs
                                                                                                                                                                                            • SHGetFolderPathA.SHELL32(00000000,?,00000000,00000000,?,?,?,EB10111E), ref: 004282B4
                                                                                                                                                                                              • Part of subcall function 0040AB40: __fread_nolock.LIBCMT ref: 0040AC3C
                                                                                                                                                                                            • __ehfuncinfo$??2@YAPAXIABUnothrow_t@std@@@Z.LIBCMT ref: 0042A957
                                                                                                                                                                                              • Part of subcall function 004DE42B: RaiseException.KERNEL32(E06D7363,00000001,00000003,0045DCD0,0045DCD0,?,?,004DAF37,0045DCD0,0053D744,00000000,0045DCD0,00000000,00000001), ref: 004DE48B
                                                                                                                                                                                            Strings
                                                                                                                                                                                            Memory Dump Source
                                                                                                                                                                                            • Source File: 00000000.00000002.2499170949.0000000000400000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                                                            Joe Sandbox IDA Plugin
                                                                                                                                                                                            • Snapshot File: hcaresult_0_2_400000_dendy.jbxd
                                                                                                                                                                                            Yara matches
                                                                                                                                                                                            Similarity
                                                                                                                                                                                            • API ID: ExceptionFolderPathRaiseUnothrow_t@std@@@__ehfuncinfo$??2@__fread_nolock
                                                                                                                                                                                            • String ID: 1$1$[$\$\$\$\$\$\$\$\$\$\$cannot use operator[] with a string argument with
                                                                                                                                                                                            • API String ID: 763711979-1380508078
                                                                                                                                                                                            • Opcode ID: c7ad71056cc14307d38f6abb9f529e30568558c8efab3d43691259c466a99dba
                                                                                                                                                                                            • Instruction ID: 971abde32ae973583efdc70f891493b7db531d9fc98c446d8c82e5115decafcc
                                                                                                                                                                                            • Opcode Fuzzy Hash: c7ad71056cc14307d38f6abb9f529e30568558c8efab3d43691259c466a99dba
                                                                                                                                                                                            • Instruction Fuzzy Hash: 8F73BD70D042A88BDB25DB28CC547EEBBB4AF15308F1441DED44967282DB795F88CF9A
                                                                                                                                                                                            Uniqueness

                                                                                                                                                                                            Uniqueness Score: -1.00%

                                                                                                                                                                                            Function 0045DDE5 Relevance: 25.0, APIs: 8, Strings: 6, Instructions: 538librarythreadloaderCOMMON
                                                                                                                                                                                            Download Yara Rule

                                                                                                                                                                                            Control-flow Graph

                                                                                                                                                                                            • Executed
                                                                                                                                                                                            • Not Executed
                                                                                                                                                                                            control_flow_graph 8857 45dde5-45de36 call 403270 call 4e27cc call 4097d0 LoadLibraryA 8865 45dea7-45df06 call 416000 call 4655d0 call 40ad80 call 402980 8857->8865 8866 45de38-45de7c call 41cfb0 GetProcAddress 8857->8866 8878 45e005-45e041 call 467df0 call 5018a0 8865->8878 8879 45df0c 8865->8879 8866->8865 8871 45de7e-45de9f 8866->8871 8871->8865 8888 45e053-45e055 8878->8888 8889 45e043-45e04d 8878->8889 8880 45df10-45df28 call 465290 * 2 8879->8880 8893 45df5d-45df6c 8880->8893 8894 45df2a-45df2d 8880->8894 8891 45e057 8888->8891 8892 45e06b-45e07c 8888->8892 8889->8888 8891->8892 8895 45e059-45e05f 8891->8895 8897 45e082-45e0ab __ehfuncinfo$??2@YAPAXIABUnothrow_t@std@@@Z 8892->8897 8893->8880 8896 45df6e 8893->8896 8894->8893 8898 45df2f-45df56 call 464260 call 465290 * 2 8894->8898 8895->8892 8899 45e061-45e063 8895->8899 8896->8878 8900 45e0bd-45e0bf 8897->8900 8901 45e0ad-45e0b7 8897->8901 8898->8893 8920 45df58-45df5b 8898->8920 8899->8897 8903 45e065 8899->8903 8904 45e0d5-45e0d8 8900->8904 8905 45e0c1 8900->8905 8901->8900 8903->8892 8908 45e067-45e069 8903->8908 8907 45e0e0-45e11e GetProcessId call 462310 call 4650c0 8904->8907 8905->8904 8909 45e0c3-45e0c9 8905->8909 8923 45e124-45e12b call 414870 8907->8923 8924 45e25a-45e28d call 462310 call 4650c0 8907->8924 8908->8892 8908->8897 8909->8904 8913 45e0cb-45e0cd 8909->8913 8913->8907 8914 45e0cf 8913->8914 8914->8904 8917 45e0d1-45e0d3 8914->8917 8917->8904 8917->8907 8920->8893 8922 45df73-45dff5 call 40e580 call 445f10 MessageBoxA 8920->8922 8942 45dff7-45dffa 8922->8942 8943 45dfff 8922->8943 8933 45e1b1-45e1b8 call 4149b0 8923->8933 8934 45e131-45e13d GetPEB 8923->8934 8940 45e293-45e2a8 call 4149f0 call 414a80 call 414d20 8924->8940 8941 45e35a-45e38d call 462310 call 4650c0 8924->8941 8933->8924 8946 45e1be-45e1ca GetPEB 8933->8946 8938 45e140-45e15f 8934->8938 8944 45e161-45e166 8938->8944 8945 45e1ad-45e1af 8938->8945 8982 45e2bf-45e2cb GetPEB 8940->8982 8983 45e2aa-45e2ac 8940->8983 8971 45e397-45e3c7 call 462310 call 4650c0 8941->8971 8972 45e38f-45e392 call 414ed0 8941->8972 8948 461235-461241 8942->8948 8943->8878 8944->8945 8949 45e168-45e16e 8944->8949 8945->8938 8954 45e1d0-45e1ef 8946->8954 8952 461243 call 403be0 8948->8952 8953 461248-461283 call 402af0 8948->8953 8956 45e170-45e183 8949->8956 8952->8953 8962 45e1f1-45e1f6 8954->8962 8963 45e239-45e23b 8954->8963 8957 45e185-45e198 8956->8957 8958 45e1a6-45e1ab 8956->8958 8957->8957 8965 45e19a-45e1a0 8957->8965 8958->8945 8958->8956 8962->8963 8968 45e1f8-45e1fe 8962->8968 8963->8954 8965->8958 8970 45e23d-45e256 8965->8970 8973 45e200-45e213 8968->8973 8970->8924 8993 45e3ce-45e43d call 462310 call 4650c0 __ehfuncinfo$??2@YAPAXIABUnothrow_t@std@@@Z 8971->8993 8994 45e3c9 call 4176b0 8971->8994 8972->8971 8977 45e215-45e228 8973->8977 8978 45e232-45e237 8973->8978 8977->8977 8981 45e22a-45e230 8977->8981 8978->8963 8978->8973 8981->8970 8981->8978 8984 45e2d0-45e2ef 8982->8984 8983->8982 8986 45e2ae-45e2b0 8983->8986 8988 45e2f1-45e2f6 8984->8988 8989 45e339-45e33b 8984->8989 8986->8982 8987 45e2b2-45e2b9 call 4148b0 8986->8987 8987->8941 8987->8982 8988->8989 8992 45e2f8-45e2fe 8988->8992 8989->8984 8996 45e300-45e313 8992->8996 9006 45e44f-45e451 8993->9006 9007 45e43f-45e449 8993->9007 8994->8993 8999 45e315-45e328 8996->8999 9000 45e332-45e337 8996->9000 8999->8999 9002 45e32a-45e330 8999->9002 9000->8989 9000->8996 9002->9000 9005 45e33d-45e356 9002->9005 9005->8941 9008 45e467-45e46a 9006->9008 9009 45e453 9006->9009 9007->9006 9011 45e472-45e481 SetThreadExecutionState 9008->9011 9009->9008 9010 45e455-45e45b 9009->9010 9010->9008 9012 45e45d-45e45f 9010->9012 9013 45e483-45e488 SetThreadExecutionState 9011->9013 9014 45e48a-45e4c3 call 462240 GetPEB 9011->9014 9012->9011 9015 45e461 9012->9015 9013->9014 9019 45e4c6-45e4e5 9014->9019 9015->9008 9017 45e463-45e465 9015->9017 9017->9008 9017->9011 9020 45e534-45e536 9019->9020 9021 45e4e7-45e4ec 9019->9021 9020->8948 9020->9019 9021->9020 9022 45e4ee-45e4f4 9021->9022 9023 45e4f6-45e509 9022->9023 9024 45e52d-45e532 9023->9024 9025 45e50b 9023->9025 9024->9020 9024->9023 9026 45e510-45e523 9025->9026 9026->9026 9027 45e525-45e52b 9026->9027 9027->9024
                                                                                                                                                                                            APIs
                                                                                                                                                                                            • LoadLibraryA.KERNELBASE(00000000), ref: 0045DE2C
                                                                                                                                                                                            • GetProcAddress.KERNEL32(00000000,00000000), ref: 0045DE74
                                                                                                                                                                                            • MessageBoxA.USER32(00000000,00000000,00000000,00000014), ref: 0045DFEC
                                                                                                                                                                                            • __ehfuncinfo$??2@YAPAXIABUnothrow_t@std@@@Z.LIBCMT ref: 0045E088
                                                                                                                                                                                            • GetProcessId.KERNELBASE(0000A9BE,00000000,00000000,00000003,00000000,00000000,00000000,00000003,00000000,00000000), ref: 0045E0E5
                                                                                                                                                                                            • __ehfuncinfo$??2@YAPAXIABUnothrow_t@std@@@Z.LIBCMT ref: 0045E414
                                                                                                                                                                                            • SetThreadExecutionState.KERNEL32(80000041), ref: 0045E47D
                                                                                                                                                                                            • SetThreadExecutionState.KERNEL32(80000001), ref: 0045E488
                                                                                                                                                                                              • Part of subcall function 00414ED0: CoInitializeEx.OLE32(00000000), ref: 00414F21
                                                                                                                                                                                              • Part of subcall function 00414ED0: CoCreateInstance.OLE32(0051F29C,00000000,00000001,005264AC,00000000), ref: 00414F5B
                                                                                                                                                                                              • Part of subcall function 00414ED0: RegCreateKeyExA.ADVAPI32(?,?,00000000,00000000,00000000,00020006,00000000,?,00000000), ref: 0041500D
                                                                                                                                                                                            Strings
                                                                                                                                                                                            Memory Dump Source
                                                                                                                                                                                            • Source File: 00000000.00000002.2499170949.0000000000400000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                                                            Joe Sandbox IDA Plugin
                                                                                                                                                                                            • Snapshot File: hcaresult_0_2_400000_dendy.jbxd
                                                                                                                                                                                            Yara matches
                                                                                                                                                                                            Similarity
                                                                                                                                                                                            • API ID: CreateExecutionStateThreadUnothrow_t@std@@@__ehfuncinfo$??2@$AddressInitializeInstanceLibraryLoadMessageProcProcess
                                                                                                                                                                                            • String ID: 0Dl$P5m$P5n$VW}8$$?$^?
                                                                                                                                                                                            • API String ID: 3671032131-3693957406
                                                                                                                                                                                            • Opcode ID: c5cf5b41cfba225ef6329929671c39fa8cb385e1aa91efd481a0732229720008
                                                                                                                                                                                            • Instruction ID: d05b7a526c526fb25ac86900d23d82a76dfacb57d7154bee3789098c3e461034
                                                                                                                                                                                            • Opcode Fuzzy Hash: c5cf5b41cfba225ef6329929671c39fa8cb385e1aa91efd481a0732229720008
                                                                                                                                                                                            • Instruction Fuzzy Hash: 4432E175A00614CBCB28CF55C894BAEB7B1FF59309F14419ADD046B392EB34AE49CF89
                                                                                                                                                                                            Uniqueness

                                                                                                                                                                                            Uniqueness Score: -1.00%

                                                                                                                                                                                            Function 0042C980 Relevance: 24.9, APIs: 1, Strings: 12, Instructions: 2164COMMON
                                                                                                                                                                                            Download Yara Rule
                                                                                                                                                                                            APIs
                                                                                                                                                                                            • SHGetFolderPathA.SHELL32(00000000,?,00000000,00000000,?,?,?,EB100A1A,?,?,?,00000004), ref: 0042CAB4
                                                                                                                                                                                            Strings
                                                                                                                                                                                            Memory Dump Source
                                                                                                                                                                                            • Source File: 00000000.00000002.2499170949.0000000000400000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                                                            Joe Sandbox IDA Plugin
                                                                                                                                                                                            • Snapshot File: hcaresult_0_2_400000_dendy.jbxd
                                                                                                                                                                                            Yara matches
                                                                                                                                                                                            Similarity
                                                                                                                                                                                            • API ID: FolderPath
                                                                                                                                                                                            • String ID: V$\$\$\$\$\$\$\$\$\$\$cannot use operator[] with a string argument with
                                                                                                                                                                                            • API String ID: 1514166925-852427314
                                                                                                                                                                                            • Opcode ID: 7a92e4d2efc8a7d3982d1c0e98320d833f3b99e16c11bd0952f5b9746d040943
                                                                                                                                                                                            • Instruction ID: 93d48fb3b7394a7a9c545578b9020dcc270c056067832ed45d6f7c74abe25d34
                                                                                                                                                                                            • Opcode Fuzzy Hash: 7a92e4d2efc8a7d3982d1c0e98320d833f3b99e16c11bd0952f5b9746d040943
                                                                                                                                                                                            • Instruction Fuzzy Hash: DD23CE70D002A88ADF25DB68CD457EEBBB0AF15304F1442DEE44977282DBB85B89CF95
                                                                                                                                                                                            Uniqueness

                                                                                                                                                                                            Uniqueness Score: -1.00%

                                                                                                                                                                                            Function 00434B20 Relevance: 23.8, APIs: 6, Strings: 6, Instructions: 2842stringCOMMON
                                                                                                                                                                                            Download Yara Rule
                                                                                                                                                                                            APIs
                                                                                                                                                                                            • SHGetFolderPathA.SHELL32(00000000,0000001A,00000000,00000000,?), ref: 00434C41
                                                                                                                                                                                            • GetPrivateProfileSectionNamesA.KERNEL32(?,00001000,?), ref: 00434CE6
                                                                                                                                                                                            • GetPrivateProfileStringA.KERNEL32(?,E80B1F2D,00000000,?,00000104,?), ref: 00434DB6
                                                                                                                                                                                            • lstrlenA.KERNEL32(?), ref: 00437778
                                                                                                                                                                                              • Part of subcall function 0040AB40: __fread_nolock.LIBCMT ref: 0040AC3C
                                                                                                                                                                                            • CreateDirectoryA.KERNEL32(?,00000000,?,!/,?,00000000,!/,!/,?,?,E9181111,E9181111,00000000), ref: 00436806
                                                                                                                                                                                            • CreateDirectoryA.KERNEL32(?,00000000), ref: 00436B77
                                                                                                                                                                                            Strings
                                                                                                                                                                                            Memory Dump Source
                                                                                                                                                                                            • Source File: 00000000.00000002.2499170949.0000000000400000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                                                            Joe Sandbox IDA Plugin
                                                                                                                                                                                            • Snapshot File: hcaresult_0_2_400000_dendy.jbxd
                                                                                                                                                                                            Yara matches
                                                                                                                                                                                            Similarity
                                                                                                                                                                                            • API ID: CreateDirectoryPrivateProfile$FolderNamesPathSectionString__fread_nolocklstrlen
                                                                                                                                                                                            • String ID: !/$3$\$\$_$cannot use operator[] with a string argument with
                                                                                                                                                                                            • API String ID: 2628882823-2383513987
                                                                                                                                                                                            • Opcode ID: 7f008d2b1d43d3440f0b736f4e868794396d9013d87c5915d0065dada75c57de
                                                                                                                                                                                            • Instruction ID: 1ce51221f2985692f3453a56c8f933069d7efec376c23e296511ddad2afc8776
                                                                                                                                                                                            • Opcode Fuzzy Hash: 7f008d2b1d43d3440f0b736f4e868794396d9013d87c5915d0065dada75c57de
                                                                                                                                                                                            • Instruction Fuzzy Hash: FF53E170C042989EDF25CB64CC497EEBBB4AF15304F1481DED44967282DB785B89CF96
                                                                                                                                                                                            Uniqueness

                                                                                                                                                                                            Uniqueness Score: -1.00%

                                                                                                                                                                                            Function 0040B300 Relevance: 23.0, APIs: 11, Strings: 2, Instructions: 297fileCOMMON
                                                                                                                                                                                            Download Yara Rule

                                                                                                                                                                                            Control-flow Graph

                                                                                                                                                                                            • Executed
                                                                                                                                                                                            • Not Executed
                                                                                                                                                                                            control_flow_graph 10404 40b300-40b33f call 4dbdc9 10407 40b712-40b714 std::_Throw_Cpp_error 10404->10407 10408 40b345-40b34f 10404->10408 10409 40b719-40b725 std::_Throw_Cpp_error 10407->10409 10408->10409 10410 40b355-40b39e 10408->10410 10411 40b72a call 402400 10409->10411 10410->10411 10412 40b3a4-40b42f call 46daa0 call 402af0 * 2 FindFirstFileA 10410->10412 10415 40b72f-40b734 call 4e1ea0 10411->10415 10424 40b435-40b43e 10412->10424 10425 40b65a 10412->10425 10427 40b440-40b445 10424->10427 10426 40b65c-40b666 10425->10426 10428 40b694-40b6b0 10426->10428 10429 40b668-40b674 10426->10429 10427->10427 10430 40b447-40b499 10427->10430 10434 40b6b2-40b6be 10428->10434 10435 40b6da-40b711 call 4dbdda 10428->10435 10432 40b676-40b684 10429->10432 10433 40b68a-40b691 call 4dcb23 10429->10433 10430->10411 10441 40b49f-40b4d1 call 46daa0 10430->10441 10432->10415 10432->10433 10433->10428 10439 40b6d0-40b6d7 call 4dcb23 10434->10439 10440 40b6c0-40b6ce 10434->10440 10439->10435 10440->10415 10440->10439 10449 40b4d4-40b4d9 10441->10449 10449->10449 10450 40b4db-40b589 call 468210 call 402af0 * 3 10449->10450 10459 40b5a9-40b5c2 SetFileAttributesA 10450->10459 10460 40b58b-40b592 call 40b300 10450->10460 10462 40b650-40b658 GetLastError 10459->10462 10463 40b5c8-40b5dc DeleteFileA 10459->10463 10460->10459 10462->10426 10463->10462 10464 40b5de-40b5f1 FindNextFileA 10463->10464 10464->10424 10465 40b5f7-40b60b FindClose GetLastError 10464->10465 10465->10426 10466 40b60d-40b613 10465->10466 10467 40b615 10466->10467 10468 40b617-40b625 SetFileAttributesA 10466->10468 10467->10468 10469 40b632-40b636 10468->10469 10470 40b627-40b630 10468->10470 10471 40b638 10469->10471 10472 40b63a-40b643 RemoveDirectoryA 10469->10472 10470->10426 10471->10472 10472->10425 10474 40b645-40b64e 10472->10474 10474->10426
                                                                                                                                                                                            APIs
                                                                                                                                                                                            • FindFirstFileA.KERNELBASE(?,?,DT,?,?,?,\*.*,00000004), ref: 0040B423
                                                                                                                                                                                            • std::_Throw_Cpp_error.LIBCPMT ref: 0040B714
                                                                                                                                                                                            • std::_Throw_Cpp_error.LIBCPMT ref: 0040B725
                                                                                                                                                                                            Strings
                                                                                                                                                                                            Memory Dump Source
                                                                                                                                                                                            • Source File: 00000000.00000002.2499170949.0000000000400000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                                                            Joe Sandbox IDA Plugin
                                                                                                                                                                                            • Snapshot File: hcaresult_0_2_400000_dendy.jbxd
                                                                                                                                                                                            Yara matches
                                                                                                                                                                                            Similarity
                                                                                                                                                                                            • API ID: Cpp_errorThrow_std::_$FileFindFirst
                                                                                                                                                                                            • String ID: \*.*$DT
                                                                                                                                                                                            • API String ID: 1487763586-2523999094
                                                                                                                                                                                            • Opcode ID: 4a29aba26bec869d3660ca0283637983aa92af40795304ad3570c6c34889b601
                                                                                                                                                                                            • Instruction ID: ac939954ec097e0f466dd701cbb477dfb9ac36ed8f0a1d488013fd253ef2818d
                                                                                                                                                                                            • Opcode Fuzzy Hash: 4a29aba26bec869d3660ca0283637983aa92af40795304ad3570c6c34889b601
                                                                                                                                                                                            • Instruction Fuzzy Hash: FCC1CF70D00249CFDB10DFA4C8487EEBBB1FF55314F14426AE044BB292E7B45A88DB99
                                                                                                                                                                                            Uniqueness

                                                                                                                                                                                            Uniqueness Score: -1.00%

                                                                                                                                                                                            Function 00440C10 Relevance: 21.9, APIs: 9, Strings: 3, Instructions: 926registryCOMMON
                                                                                                                                                                                            Download Yara Rule

                                                                                                                                                                                            Control-flow Graph

                                                                                                                                                                                            • Executed
                                                                                                                                                                                            • Not Executed
                                                                                                                                                                                            control_flow_graph 10833 440c10-440c9e call 467210 call 4630b0 10838 440ca0-440cab 10833->10838 10838->10838 10839 440cad-440d1f call 46a190 call 466ee0 10838->10839 10844 440d20-440d63 call 4655d0 RegOpenKeyExA 10839->10844 10847 441d3c-441d60 call 402af0 10844->10847 10848 440d69-440da4 call 4debe0 RegEnumKeyA 10844->10848 10847->10844 10855 441d66-441d7b 10847->10855 10853 441d30-441d36 RegCloseKey 10848->10853 10854 440daa 10848->10854 10853->10847 10856 440db0-440dd0 RegOpenKeyExA 10854->10856 10857 440dd6-440e8c call 4debe0 * 5 10856->10857 10858 441cef-441d2a call 4debe0 RegEnumKeyA 10856->10858 10871 440e90-440e9b 10857->10871 10858->10853 10858->10856 10871->10871 10872 440e9d-440ec3 RegQueryValueExA 10871->10872 10873 441ce6-441ce9 RegCloseKey 10872->10873 10874 440ec9-440f42 10872->10874 10873->10858 10875 440f48-440f4d 10874->10875 10875->10875 10876 440f4f-440fbd call 402d00 call 4debe0 * 2 10875->10876 10883 440fc0-440fcb 10876->10883 10883->10883 10884 440fcd-4410ce RegQueryValueExA 10883->10884 10888 4410d0-4410de 10884->10888 10888->10888 10889 4410e0-4413b0 RegQueryValueExA 10888->10889 10894 441425-441471 call 4db500 10889->10894 10895 4413b2-4413bb 10889->10895 10900 441486-44157c call 4de4a0 call 467210 call 4dc8a2 call 4655d0 10894->10900 10901 441473-441476 10894->10901 10896 4413c0-4413c5 10895->10896 10896->10896 10899 4413c7-4413c9 10896->10899 10899->10894 10902 4413cb-4413da 10899->10902 10921 441580-44158b 10900->10921 10901->10900 10903 441478-44147c 10901->10903 10905 4413e0-4413eb 10902->10905 10906 441481-441484 10903->10906 10907 44147e-441480 10903->10907 10905->10905 10909 4413ed-4413f4 10905->10909 10906->10900 10906->10903 10907->10906 10911 4413f7-4413fc 10909->10911 10911->10911 10913 4413fe-44141d call 465330 call 41f3a0 10911->10913 10913->10894 10921->10921 10922 44158d-441599 10921->10922 10923 4415c9-4415cb 10922->10923 10924 44159b-4415c7 call 467210 10922->10924 10926 4415d1 10923->10926 10927 441d7c-441dcc call 467500 call 4029f0 call 469f00 call 408820 call 4de42b 10923->10927 10929 4415d7-4415fe 10924->10929 10926->10929 10951 441dd1-441dd6 call 4e1ea0 10927->10951 10931 441600-441605 10929->10931 10931->10931 10933 441607-44163a call 402d00 call 46d5a0 10931->10933 10943 44163c-44164b 10933->10943 10944 44166b-441744 call 466ee0 call 4dc8a2 call 4655d0 10933->10944 10947 441661-441668 call 4dcb23 10943->10947 10948 44164d-44165b 10943->10948 10960 441748-441753 10944->10960 10947->10944 10948->10947 10948->10951 10960->10960 10961 441755-44177d 10960->10961 10962 441780-441785 10961->10962 10962->10962 10963 441787-4417bb call 402d00 call 46d5a0 10962->10963 10968 4417ec-4418a4 call 466ee0 call 4dc8a2 10963->10968 10969 4417bd-4417cc 10963->10969 10978 4418a7-4418ac 10968->10978 10970 4417e2-4417e9 call 4dcb23 10969->10970 10971 4417ce-4417dc 10969->10971 10970->10968 10971->10951 10971->10970 10978->10978 10979 4418ae-4418ea call 402d00 10978->10979 10982 4418f0-4418fb 10979->10982 10982->10982 10983 4418fd-441922 10982->10983 10984 441925-44192a 10983->10984 10984->10984 10985 44192c-441960 call 402d00 call 46d5a0 10984->10985 10990 441991-441a71 call 466ee0 call 4dc8a2 call 4655d0 10985->10990 10991 441962-441971 10985->10991 11002 441a77-441a82 10990->11002 10992 441987-44198e call 4dcb23 10991->10992 10993 441973-441981 10991->10993 10992->10990 10993->10951 10993->10992 11002->11002 11003 441a84-441aac 11002->11003 11004 441ab0-441ab5 11003->11004 11004->11004 11005 441ab7-441aeb call 402d00 call 46d5a0 11004->11005 11010 441b1c-441b8f call 466ee0 11005->11010 11011 441aed-441afc 11005->11011 11017 441b90-441b9b 11010->11017 11013 441b12-441b19 call 4dcb23 11011->11013 11014 441afe-441b0c 11011->11014 11013->11010 11014->10951 11014->11013 11017->11017 11019 441b9d-441bdc call 46a190 call 462610 call 466ee0 11017->11019 11026 441c0d-441c35 11019->11026 11027 441bde-441bed 11019->11027 11028 441c66-441c8e 11026->11028 11029 441c37-441c46 11026->11029 11030 441c03-441c0a call 4dcb23 11027->11030 11031 441bef-441bfd 11027->11031 11034 441c90-441c9f 11028->11034 11035 441cbf-441cdf 11028->11035 11032 441c5c-441c63 call 4dcb23 11029->11032 11033 441c48-441c56 11029->11033 11030->11026 11031->10951 11031->11030 11032->11028 11033->10951 11033->11032 11038 441cb5-441cbc call 4dcb23 11034->11038 11039 441ca1-441caf 11034->11039 11035->10873 11038->11035 11039->10951 11039->11038
                                                                                                                                                                                            APIs
                                                                                                                                                                                            • RegOpenKeyExA.KERNELBASE(80000001,?,00000000,00020019,?,00544428,?,E9181111,?,?,?,00000000), ref: 00440D5B
                                                                                                                                                                                            • RegEnumKeyA.ADVAPI32(?,00000000,?,00000104), ref: 00440D99
                                                                                                                                                                                            • RegOpenKeyExA.ADVAPI32(?,?,00000000,00020019,?,?,?,?,?,?,?,00000000), ref: 00440DC8
                                                                                                                                                                                            • RegQueryValueExA.ADVAPI32(?,E91E1338,00000000,00000001,?,00000104), ref: 00440EBF
                                                                                                                                                                                            • RegQueryValueExA.ADVAPI32(?,D03E3334,00000000,00000001,?,00000104,?,?,?,?,0000002D,?), ref: 00440FEF
                                                                                                                                                                                            Strings
                                                                                                                                                                                            Memory Dump Source
                                                                                                                                                                                            • Source File: 00000000.00000002.2499170949.0000000000400000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                                                            Joe Sandbox IDA Plugin
                                                                                                                                                                                            • Snapshot File: hcaresult_0_2_400000_dendy.jbxd
                                                                                                                                                                                            Yara matches
                                                                                                                                                                                            Similarity
                                                                                                                                                                                            • API ID: OpenQueryValue$Enum
                                                                                                                                                                                            • String ID: !$-$cannot use operator[] with a string argument with
                                                                                                                                                                                            • API String ID: 2712010499-1276644407
                                                                                                                                                                                            • Opcode ID: 2cae61403f8ba5b001ee441a9bc76ed959ca99549b7a748f4f64741000691798
                                                                                                                                                                                            • Instruction ID: 467e1f61573673e568cb322bcfad3a158302ffbc17161ed4d3dffea1a2fad12a
                                                                                                                                                                                            • Opcode Fuzzy Hash: 2cae61403f8ba5b001ee441a9bc76ed959ca99549b7a748f4f64741000691798
                                                                                                                                                                                            • Instruction Fuzzy Hash: B3929B70C002989FEB25CB64CC94BDDBBB4AF55304F1481DAD449A7292EBB85BC8CF95
                                                                                                                                                                                            Uniqueness

                                                                                                                                                                                            Uniqueness Score: -1.00%

                                                                                                                                                                                            Function 0044A8F0 Relevance: 20.6, APIs: 6, Strings: 5, Instructions: 1320COMMON
                                                                                                                                                                                            Download Yara Rule
                                                                                                                                                                                            APIs
                                                                                                                                                                                              • Part of subcall function 0040B1A0: GetFileAttributesA.KERNELBASE(00000000,?,?,0045E8D7,00000000,00000000,?,00000000), ref: 0040B1FC
                                                                                                                                                                                              • Part of subcall function 0040B1A0: GetLastError.KERNEL32(?,0045E8D7,00000000,00000000,?,00000000), ref: 0040B207
                                                                                                                                                                                            • SHGetFolderPathA.SHELL32(00000000,00000000,00000000,00000000,?), ref: 0044AD86
                                                                                                                                                                                            • SHGetFolderPathA.SHELL32(00000000,00000005,00000000,00000000,?,?,?,?,?,?,?,D33A3A59,?,?), ref: 0044AF74
                                                                                                                                                                                            • SHGetFolderPathA.SHELL32(00000000,00000028,00000000,00000000,?,?,?,?,?,?,?,C3303A59,?,?), ref: 0044B176
                                                                                                                                                                                            • SHGetFolderPathA.SHELL32(00000000,0000001A,00000000,00000000,?,?,?,?,?,?,?,C52C2B59,?,?), ref: 0044B404
                                                                                                                                                                                            Strings
                                                                                                                                                                                            Memory Dump Source
                                                                                                                                                                                            • Source File: 00000000.00000002.2499170949.0000000000400000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                                                            Joe Sandbox IDA Plugin
                                                                                                                                                                                            • Snapshot File: hcaresult_0_2_400000_dendy.jbxd
                                                                                                                                                                                            Yara matches
                                                                                                                                                                                            Similarity
                                                                                                                                                                                            • API ID: FolderPath$AttributesErrorFileLast
                                                                                                                                                                                            • String ID: $*$:$Q^$type must be boolean, but is
                                                                                                                                                                                            • API String ID: 133263752-2910639182
                                                                                                                                                                                            • Opcode ID: f8a5c1fd18049b14770c9d83c876d00c3ab7aaff4ac436de6173ae7118f918e5
                                                                                                                                                                                            • Instruction ID: f601a768aac6b107c1b52a814d78b372fed79b1e5d76e311e5bac06f3818e39b
                                                                                                                                                                                            • Opcode Fuzzy Hash: f8a5c1fd18049b14770c9d83c876d00c3ab7aaff4ac436de6173ae7118f918e5
                                                                                                                                                                                            • Instruction Fuzzy Hash: 12C2F170C042589AEF25CF64C859BEEBB74AF16304F1081DED44977282EB785B89CF96
                                                                                                                                                                                            Uniqueness

                                                                                                                                                                                            Uniqueness Score: -1.00%

                                                                                                                                                                                            Function 0043B65D Relevance: 19.4, APIs: 2, Strings: 8, Instructions: 1862COMMON
                                                                                                                                                                                            Download Yara Rule
                                                                                                                                                                                            APIs
                                                                                                                                                                                            • GetPrivateProfileStringA.KERNEL32(?,E80B1F2D,00000000,?,00000104,?), ref: 00439D16
                                                                                                                                                                                            Strings
                                                                                                                                                                                            Memory Dump Source
                                                                                                                                                                                            • Source File: 00000000.00000002.2499170949.0000000000400000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                                                            Joe Sandbox IDA Plugin
                                                                                                                                                                                            • Snapshot File: hcaresult_0_2_400000_dendy.jbxd
                                                                                                                                                                                            Yara matches
                                                                                                                                                                                            Similarity
                                                                                                                                                                                            • API ID: PrivateProfileString
                                                                                                                                                                                            • String ID: /$1$1$@$TbE$\$\$cannot use operator[] with a string argument with
                                                                                                                                                                                            • API String ID: 1096422788-1445346722
                                                                                                                                                                                            • Opcode ID: 2965c0b2003d1651e8eb03f83b992031b88ba7001cac5faaa004735bee3f47b6
                                                                                                                                                                                            • Instruction ID: 48f681746d01d8606fd5da3aba38660e17bb2eb0aa84c3269b79c46dcc56e974
                                                                                                                                                                                            • Opcode Fuzzy Hash: 2965c0b2003d1651e8eb03f83b992031b88ba7001cac5faaa004735bee3f47b6
                                                                                                                                                                                            • Instruction Fuzzy Hash: 7D03E270D002599BDB25DB24C8487EEBBB0AF19308F1481DED48967382D778AF85CF96
                                                                                                                                                                                            Uniqueness

                                                                                                                                                                                            Uniqueness Score: -1.00%

                                                                                                                                                                                            Function 0045B4B0 Relevance: 18.7, Strings: 14, Instructions: 1224COMMON
                                                                                                                                                                                            Download Yara Rule
                                                                                                                                                                                            Strings
                                                                                                                                                                                            Memory Dump Source
                                                                                                                                                                                            • Source File: 00000000.00000002.2499170949.0000000000400000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                                                            Joe Sandbox IDA Plugin
                                                                                                                                                                                            • Snapshot File: hcaresult_0_2_400000_dendy.jbxd
                                                                                                                                                                                            Yara matches
                                                                                                                                                                                            Similarity
                                                                                                                                                                                            • API ID: AttributesCreateDirectoryErrorFileLast
                                                                                                                                                                                            • String ID: $!$!$!$!$!$!$!<$!<$!=<$"$"$P$P
                                                                                                                                                                                            • API String ID: 674977465-849160089
                                                                                                                                                                                            • Opcode ID: 5f961a8c59e3abbcd852215698635d93fbf3bef1801bfa62208ebea6883c0baf
                                                                                                                                                                                            • Instruction ID: aaf53db0e1b4d15e6be1d28252f3172ce73b50c3640e64186e45e7c1d5f19c6e
                                                                                                                                                                                            • Opcode Fuzzy Hash: 5f961a8c59e3abbcd852215698635d93fbf3bef1801bfa62208ebea6883c0baf
                                                                                                                                                                                            • Instruction Fuzzy Hash: 93C2AE708042989EDB25DB64CC597DEBBB4AF11308F0441DED44977292EBB81F88DF9A
                                                                                                                                                                                            Uniqueness

                                                                                                                                                                                            Uniqueness Score: -1.00%

                                                                                                                                                                                            Function 004378A0 Relevance: 18.5, APIs: 4, Strings: 6, Instructions: 1023stringCOMMON
                                                                                                                                                                                            Download Yara Rule
                                                                                                                                                                                            APIs
                                                                                                                                                                                            • SHGetFolderPathA.SHELL32(00000000,0000001A,00000000,00000000,?), ref: 004379A8
                                                                                                                                                                                            • GetPrivateProfileSectionNamesA.KERNEL32(?,00001000,?), ref: 00437A51
                                                                                                                                                                                            • GetPrivateProfileStringA.KERNEL32(?,E80B1F2D,00000000,?,00000104,?), ref: 00437B09
                                                                                                                                                                                            • lstrlenA.KERNEL32(?), ref: 0043865B
                                                                                                                                                                                            Strings
                                                                                                                                                                                            Memory Dump Source
                                                                                                                                                                                            • Source File: 00000000.00000002.2499170949.0000000000400000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                                                            Joe Sandbox IDA Plugin
                                                                                                                                                                                            • Snapshot File: hcaresult_0_2_400000_dendy.jbxd
                                                                                                                                                                                            Yara matches
                                                                                                                                                                                            Similarity
                                                                                                                                                                                            • API ID: PrivateProfile$FolderNamesPathSectionStringlstrlen
                                                                                                                                                                                            • String ID: $'7/$/$\$\$cannot use operator[] with a string argument with
                                                                                                                                                                                            • API String ID: 1311570089-2982360621
                                                                                                                                                                                            • Opcode ID: 8856ee1443d33a6323f86d2b2cabd39d1ae4f5180e08f34482b4ff18a460cfa1
                                                                                                                                                                                            • Instruction ID: 9f976b58b8be0850a844ace8a6271eea27716fe17c03b5f0162a7ffe5c17bfa4
                                                                                                                                                                                            • Opcode Fuzzy Hash: 8856ee1443d33a6323f86d2b2cabd39d1ae4f5180e08f34482b4ff18a460cfa1
                                                                                                                                                                                            • Instruction Fuzzy Hash: 9BA2F470D04258DBDF24DF64C844BDEBBB4AF19308F1441DEE449A7282EB789A89CF95
                                                                                                                                                                                            Uniqueness

                                                                                                                                                                                            Uniqueness Score: -1.00%

                                                                                                                                                                                            Function 0041E220 Relevance: 18.3, APIs: 12, Instructions: 260networksleepCOMMON
                                                                                                                                                                                            Download Yara Rule

                                                                                                                                                                                            Control-flow Graph

                                                                                                                                                                                            • Executed
                                                                                                                                                                                            • Not Executed
                                                                                                                                                                                            control_flow_graph 13849 41e220-41e244 13850 41e5d8-41e5e9 13849->13850 13851 41e24a 13849->13851 13852 41e250-41e258 13851->13852 13853 41e293-41e2dc setsockopt recv WSAGetLastError 13852->13853 13854 41e25a-41e280 call 41d430 13852->13854 13853->13850 13856 41e2e2-41e2e5 13853->13856 13859 41e285-41e28d 13854->13859 13857 41e536-41e55f call 4dc299 __ehfuncinfo$??2@YAPAXIABUnothrow_t@std@@@Z 13856->13857 13858 41e2eb-41e2f2 13856->13858 13864 41e5bb-41e5bd Sleep 13857->13864 13867 41e561 13857->13867 13861 41e521-41e531 recv 13858->13861 13862 41e2f8-41e354 call 4680a0 recv 13858->13862 13859->13853 13863 41e5c3-41e5d2 Sleep 13859->13863 13861->13864 13871 41e35a-41e375 recv 13862->13871 13872 41e4cf-41e4dc 13862->13872 13863->13850 13863->13852 13864->13863 13869 41e563-41e569 13867->13869 13870 41e56b-41e5a3 call 41d840 13867->13870 13869->13864 13869->13870 13879 41e5a8-41e5b6 13870->13879 13871->13872 13873 41e37b-41e3b6 13871->13873 13875 41e50a-41e51c 13872->13875 13876 41e4de-41e4ea 13872->13876 13877 41e429-41e489 call 4655d0 call 41d260 call 41dc70 13873->13877 13878 41e3b8-41e3bd 13873->13878 13875->13864 13880 41e500-41e507 call 4dcb23 13876->13880 13881 41e4ec-41e4fa 13876->13881 13897 41e4b7-41e4cb 13877->13897 13898 41e48b-41e497 13877->13898 13882 41e3d3-41e3dd call 4680a0 13878->13882 13883 41e3bf-41e3d1 13878->13883 13879->13864 13880->13875 13881->13880 13884 41e5ea-41e5ef call 4e1ea0 13881->13884 13887 41e3e2-41e427 setsockopt recv 13882->13887 13883->13887 13887->13877 13897->13872 13899 41e499-41e4a7 13898->13899 13900 41e4ad-41e4af call 4dcb23 13898->13900 13899->13884 13899->13900 13902 41e4b4 13900->13902 13902->13897
                                                                                                                                                                                            APIs
                                                                                                                                                                                            • setsockopt.WS2_32(0000038C,0000FFFF,00001006,?,00000008), ref: 0041E2B2
                                                                                                                                                                                            • recv.WS2_32(?,00000004,00000002), ref: 0041E2CD
                                                                                                                                                                                            • WSAGetLastError.WS2_32 ref: 0041E2D1
                                                                                                                                                                                            • recv.WS2_32(00000000,0000000C,00000002,00000000), ref: 0041E34F
                                                                                                                                                                                            • recv.WS2_32(00000000,0000000C,00000008), ref: 0041E370
                                                                                                                                                                                            • setsockopt.WS2_32(0000FFFF,00001006,?,00000008,?), ref: 0041E40C
                                                                                                                                                                                            • recv.WS2_32(00000000,?,00000008), ref: 0041E427
                                                                                                                                                                                              • Part of subcall function 0041D430: WSAStartup.WS2_32 ref: 0041D45A
                                                                                                                                                                                              • Part of subcall function 0041D430: getaddrinfo.WS2_32(?,?,?,00544318), ref: 0041D4DC
                                                                                                                                                                                              • Part of subcall function 0041D430: socket.WS2_32(?,?,?), ref: 0041D4FD
                                                                                                                                                                                              • Part of subcall function 0041D430: connect.WS2_32(00000000,?,?), ref: 0041D511
                                                                                                                                                                                              • Part of subcall function 0041D430: closesocket.WS2_32(00000000), ref: 0041D51D
                                                                                                                                                                                              • Part of subcall function 0041D430: freeaddrinfo.WS2_32(?,?,?,?,00544318,?,?), ref: 0041D52A
                                                                                                                                                                                              • Part of subcall function 0041D430: WSACleanup.WS2_32 ref: 0041D530
                                                                                                                                                                                            • recv.WS2_32(?,00000004,00000008), ref: 0041E52F
                                                                                                                                                                                            • __Xtime_get_ticks.LIBCPMT ref: 0041E536
                                                                                                                                                                                            • __ehfuncinfo$??2@YAPAXIABUnothrow_t@std@@@Z.LIBCMT ref: 0041E544
                                                                                                                                                                                            • Sleep.KERNELBASE(00000001,00000000,?,00002710,00000000), ref: 0041E5BD
                                                                                                                                                                                            • Sleep.KERNELBASE(00000064,?,00002710,00000000), ref: 0041E5C5
                                                                                                                                                                                            Memory Dump Source
                                                                                                                                                                                            • Source File: 00000000.00000002.2499170949.0000000000400000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                                                            Joe Sandbox IDA Plugin
                                                                                                                                                                                            • Snapshot File: hcaresult_0_2_400000_dendy.jbxd
                                                                                                                                                                                            Yara matches
                                                                                                                                                                                            Similarity
                                                                                                                                                                                            • API ID: recv$Sleepsetsockopt$CleanupErrorLastStartupUnothrow_t@std@@@Xtime_get_ticks__ehfuncinfo$??2@closesocketconnectfreeaddrinfogetaddrinfosocket
                                                                                                                                                                                            • String ID:
                                                                                                                                                                                            • API String ID: 4125349891-0
                                                                                                                                                                                            • Opcode ID: 58cb50fad8bfee238d794f3ab8072a6dc5a148d89207eb05ecb41e0d4a435300
                                                                                                                                                                                            • Instruction ID: 445f019a92e67a07c5577944838b6ba889f153fe2f7e7f97530082f2635256d3
                                                                                                                                                                                            • Opcode Fuzzy Hash: 58cb50fad8bfee238d794f3ab8072a6dc5a148d89207eb05ecb41e0d4a435300
                                                                                                                                                                                            • Instruction Fuzzy Hash: BFB1BB74D00208DFDB10DFA5DC49BDEBBB1BF55308F20421AE514AB2D2E7B85989DB85
                                                                                                                                                                                            Uniqueness

                                                                                                                                                                                            Uniqueness Score: -1.00%

                                                                                                                                                                                            Function 004202AA Relevance: 16.8, Strings: 12, Instructions: 1844COMMON
                                                                                                                                                                                            Download Yara Rule
                                                                                                                                                                                            Strings
                                                                                                                                                                                            Memory Dump Source
                                                                                                                                                                                            • Source File: 00000000.00000002.2499170949.0000000000400000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                                                            Joe Sandbox IDA Plugin
                                                                                                                                                                                            • Snapshot File: hcaresult_0_2_400000_dendy.jbxd
                                                                                                                                                                                            Yara matches
                                                                                                                                                                                            Similarity
                                                                                                                                                                                            • API ID:
                                                                                                                                                                                            • String ID: 2$N$\$\$\$\$\$\$\$\$\$cannot use operator[] with a string argument with
                                                                                                                                                                                            • API String ID: 0-3997232999
                                                                                                                                                                                            • Opcode ID: 39b1c78cc260389004a9945ae1215db3ef1f2606071fc9a6093dcbdc2b2998ea
                                                                                                                                                                                            • Instruction ID: 142a1333c886f7168f4796e51cba4106daa42fe8ca959b633c77b9f205a70950
                                                                                                                                                                                            • Opcode Fuzzy Hash: 39b1c78cc260389004a9945ae1215db3ef1f2606071fc9a6093dcbdc2b2998ea
                                                                                                                                                                                            • Instruction Fuzzy Hash: 3A03FF70D042A8CADB25DF68C9447EEBBB0AF25304F1441DED44977292DBB85B88CF96
                                                                                                                                                                                            Uniqueness

                                                                                                                                                                                            Uniqueness Score: -1.00%

                                                                                                                                                                                            Function 0042EB90 Relevance: 15.7, APIs: 1, Strings: 7, Instructions: 1732COMMON
                                                                                                                                                                                            Download Yara Rule
                                                                                                                                                                                            APIs
                                                                                                                                                                                            • SHGetFolderPathA.SHELL32(00000000,?,00000000,00000000,?,?,?,00000000), ref: 0042EBF6
                                                                                                                                                                                            Strings
                                                                                                                                                                                            Memory Dump Source
                                                                                                                                                                                            • Source File: 00000000.00000002.2499170949.0000000000400000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                                                            Joe Sandbox IDA Plugin
                                                                                                                                                                                            • Snapshot File: hcaresult_0_2_400000_dendy.jbxd
                                                                                                                                                                                            Yara matches
                                                                                                                                                                                            Similarity
                                                                                                                                                                                            • API ID: FolderPath
                                                                                                                                                                                            • String ID: 0$\$\$\$\$\$\
                                                                                                                                                                                            • API String ID: 1514166925-2451213376
                                                                                                                                                                                            • Opcode ID: 36860eb0e155d2f8010df601d171291f325214116c62a2c6aca437c35bd48e3b
                                                                                                                                                                                            • Instruction ID: ff42d24a3409b96a5a3af719d977c7bdcf0e65b10999f228c8266e98d8d3b20c
                                                                                                                                                                                            • Opcode Fuzzy Hash: 36860eb0e155d2f8010df601d171291f325214116c62a2c6aca437c35bd48e3b
                                                                                                                                                                                            • Instruction Fuzzy Hash: EC03CE70C00298CBDB15CFA4C9547EEBBB4AF15304F1482EED44967282EBB85B89DF95
                                                                                                                                                                                            Uniqueness

                                                                                                                                                                                            Uniqueness Score: -1.00%

                                                                                                                                                                                            Function 004564A0 Relevance: 15.6, Strings: 11, Instructions: 1823COMMON
                                                                                                                                                                                            Download Yara Rule
                                                                                                                                                                                            Strings
                                                                                                                                                                                            Memory Dump Source
                                                                                                                                                                                            • Source File: 00000000.00000002.2499170949.0000000000400000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                                                            Joe Sandbox IDA Plugin
                                                                                                                                                                                            • Snapshot File: hcaresult_0_2_400000_dendy.jbxd
                                                                                                                                                                                            Yara matches
                                                                                                                                                                                            Similarity
                                                                                                                                                                                            • API ID: Cpp_errorThrow_std::_$AttributesCreateDirectoryErrorFileLast
                                                                                                                                                                                            • String ID: !$!$!$!$!<$X$X$X$X$XX$i
                                                                                                                                                                                            • API String ID: 325604351-2037772135
                                                                                                                                                                                            • Opcode ID: 00640e7ae51c25515dbab57518f1b5585add5ccf1b9807717d4c2318bf2f91c0
                                                                                                                                                                                            • Instruction ID: ecb2ca0d95ec8d52ec3e550aec8de0df42c26821c100c05c85970344710edf93
                                                                                                                                                                                            • Opcode Fuzzy Hash: 00640e7ae51c25515dbab57518f1b5585add5ccf1b9807717d4c2318bf2f91c0
                                                                                                                                                                                            • Instruction Fuzzy Hash: C0137B30804298DADB21DBA4CD597DDBBB4AF21308F4440EED44977292EBB81F88DF56
                                                                                                                                                                                            Uniqueness

                                                                                                                                                                                            Uniqueness Score: -1.00%

                                                                                                                                                                                            Function 0042B670 Relevance: 15.3, APIs: 2, Strings: 6, Instructions: 1311COMMON
                                                                                                                                                                                            Download Yara Rule
                                                                                                                                                                                            APIs
                                                                                                                                                                                            • SHGetFolderPathA.SHELL32(00000000,?,00000000,00000000,?,?,?,F40C1715,?,?,?,?), ref: 0042B7A1
                                                                                                                                                                                            • __ehfuncinfo$??2@YAPAXIABUnothrow_t@std@@@Z.LIBCMT ref: 0042C4A7
                                                                                                                                                                                            Strings
                                                                                                                                                                                            Memory Dump Source
                                                                                                                                                                                            • Source File: 00000000.00000002.2499170949.0000000000400000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                                                            Joe Sandbox IDA Plugin
                                                                                                                                                                                            • Snapshot File: hcaresult_0_2_400000_dendy.jbxd
                                                                                                                                                                                            Yara matches
                                                                                                                                                                                            Similarity
                                                                                                                                                                                            • API ID: FolderPathUnothrow_t@std@@@__ehfuncinfo$??2@
                                                                                                                                                                                            • String ID: $$@$\$\$\$cannot use operator[] with a string argument with
                                                                                                                                                                                            • API String ID: 2082173394-1541509089
                                                                                                                                                                                            • Opcode ID: 6133f534c6a332d7941f26dfa8c2fbae13c62275449d7d66e0fd3f2e3009ec6c
                                                                                                                                                                                            • Instruction ID: 19e61057b4de96387459b8fbb322fb78cfcc39abb5ced32acda83e23eefcc91f
                                                                                                                                                                                            • Opcode Fuzzy Hash: 6133f534c6a332d7941f26dfa8c2fbae13c62275449d7d66e0fd3f2e3009ec6c
                                                                                                                                                                                            • Instruction Fuzzy Hash: 60C2E170D002688BDB24DF68DD447EEBBB1AF55304F14819EE449AB282DB785A88CF95
                                                                                                                                                                                            Uniqueness

                                                                                                                                                                                            Uniqueness Score: -1.00%

                                                                                                                                                                                            Function 00431BE0 Relevance: 13.8, APIs: 1, Strings: 6, Instructions: 1514COMMON
                                                                                                                                                                                            Download Yara Rule
                                                                                                                                                                                            APIs
                                                                                                                                                                                            • SHGetFolderPathA.SHELL32(00000000,?,00000000,00000000,?), ref: 00431C6A
                                                                                                                                                                                            Strings
                                                                                                                                                                                            Memory Dump Source
                                                                                                                                                                                            • Source File: 00000000.00000002.2499170949.0000000000400000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                                                            Joe Sandbox IDA Plugin
                                                                                                                                                                                            • Snapshot File: hcaresult_0_2_400000_dendy.jbxd
                                                                                                                                                                                            Yara matches
                                                                                                                                                                                            Similarity
                                                                                                                                                                                            • API ID: FolderPath
                                                                                                                                                                                            • String ID: -$@$\$\$\$\
                                                                                                                                                                                            • API String ID: 1514166925-2684308176
                                                                                                                                                                                            • Opcode ID: dc0feb0ff27342ba2351010760a9a7fa9f17d55a1b17b16ef9f87e90b9ed826b
                                                                                                                                                                                            • Instruction ID: d91b79af9706b3dcd8d39c7225c5b41485dc7db8cb22aba9996e65dd2ffe5a79
                                                                                                                                                                                            • Opcode Fuzzy Hash: dc0feb0ff27342ba2351010760a9a7fa9f17d55a1b17b16ef9f87e90b9ed826b
                                                                                                                                                                                            • Instruction Fuzzy Hash: 1AE2CC70D002588BDB24DF68CD497EEBBB1AF55308F1442DED4497B282DBB85B88CB95
                                                                                                                                                                                            Uniqueness

                                                                                                                                                                                            Uniqueness Score: -1.00%

                                                                                                                                                                                            Function 0043C800 Relevance: 13.7, APIs: 9, Instructions: 163libraryloaderCOMMON
                                                                                                                                                                                            Download Yara Rule

                                                                                                                                                                                            Control-flow Graph

                                                                                                                                                                                            • Executed
                                                                                                                                                                                            • Not Executed
                                                                                                                                                                                            control_flow_graph 16906 43c800-43c80d 16907 43c813-43c82a 16906->16907 16908 43ca57-43ca5c 16906->16908 16909 43c830-43c83b 16907->16909 16909->16909 16910 43c83d-43c855 LoadLibraryA 16909->16910 16910->16908 16911 43c85b-43c86f 16910->16911 16912 43c873-43c87e 16911->16912 16912->16912 16913 43c880-43c8ab GetProcAddress 16912->16913 16914 43c8b1-43c8bc 16913->16914 16914->16914 16915 43c8be-43c8ed GetProcAddress 16914->16915 16916 43c8f0-43c8fb 16915->16916 16916->16916 16917 43c8fd-43c929 GetProcAddress 16916->16917 16918 43c930-43c93b 16917->16918 16918->16918 16919 43c93d-43c95f GetProcAddress 16918->16919 16920 43c963-43c96e 16919->16920 16920->16920 16921 43c970-43c99c GetProcAddress 16920->16921 16922 43c9a2-43c9ad 16921->16922 16922->16922 16923 43c9af-43c9db GetProcAddress 16922->16923 16924 43c9e1-43c9ec 16923->16924 16924->16924 16925 43c9ee-43ca0b GetProcAddress 16924->16925 16926 43ca4b-43ca51 FreeLibrary 16925->16926 16927 43ca0d-43ca14 16925->16927 16926->16908 16927->16926 16928 43ca16-43ca1d 16927->16928 16928->16926 16929 43ca1f-43ca26 16928->16929 16929->16926 16930 43ca28-43ca2f 16929->16930 16930->16926 16931 43ca31-43ca38 16930->16931 16931->16926 16932 43ca3a-43ca3c 16931->16932 16932->16926 16933 43ca3e-43ca4a 16932->16933
                                                                                                                                                                                            APIs
                                                                                                                                                                                            • LoadLibraryA.KERNELBASE(EC0A1F0B), ref: 0043C845
                                                                                                                                                                                            • GetProcAddress.KERNEL32(00000000,?), ref: 0043C890
                                                                                                                                                                                            • GetProcAddress.KERNEL32(?), ref: 0043C8CC
                                                                                                                                                                                            • GetProcAddress.KERNEL32(EC0A1F2B), ref: 0043C90B
                                                                                                                                                                                            • GetProcAddress.KERNEL32(EC0A1F2B), ref: 0043C94B
                                                                                                                                                                                            • GetProcAddress.KERNEL32(?), ref: 0043C97E
                                                                                                                                                                                            • GetProcAddress.KERNEL32(EC0A1F2B), ref: 0043C9BD
                                                                                                                                                                                            • GetProcAddress.KERNEL32(EC0A1F2B), ref: 0043C9FC
                                                                                                                                                                                            • FreeLibrary.KERNEL32 ref: 0043CA51
                                                                                                                                                                                            Memory Dump Source
                                                                                                                                                                                            • Source File: 00000000.00000002.2499170949.0000000000400000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                                                            Joe Sandbox IDA Plugin
                                                                                                                                                                                            • Snapshot File: hcaresult_0_2_400000_dendy.jbxd
                                                                                                                                                                                            Yara matches
                                                                                                                                                                                            Similarity
                                                                                                                                                                                            • API ID: AddressProc$Library$FreeLoad
                                                                                                                                                                                            • String ID:
                                                                                                                                                                                            • API String ID: 2449869053-0
                                                                                                                                                                                            • Opcode ID: 1a03b80e99f2ae9b9d448c6761ef6ab857ef5f5529903590e56c350a4be63973
                                                                                                                                                                                            • Instruction ID: b1d565e26da15637c44d487adb7fec3754ae83cdb862e226590c04255aff7c14
                                                                                                                                                                                            • Opcode Fuzzy Hash: 1a03b80e99f2ae9b9d448c6761ef6ab857ef5f5529903590e56c350a4be63973
                                                                                                                                                                                            • Instruction Fuzzy Hash: 20711574814288DEDB04CFA8E9497EE7BF8EF1E308F14506ED444BA221E3754259DF69
                                                                                                                                                                                            Uniqueness

                                                                                                                                                                                            Uniqueness Score: -1.00%

                                                                                                                                                                                            Function 0045A490 Relevance: 13.4, Strings: 10, Instructions: 886COMMON
                                                                                                                                                                                            Download Yara Rule

                                                                                                                                                                                            Control-flow Graph

                                                                                                                                                                                            • Executed
                                                                                                                                                                                            • Not Executed
                                                                                                                                                                                            control_flow_graph 16934 45a490-45a4c2 16935 45a4c4-45a4ee 16934->16935 16936 45a4f0-45a514 16934->16936 16937 45a51a-45a552 call 4097d0 call 469d40 call 40b1a0 16935->16937 16936->16937 16944 45a575-45a586 call 4627d0 16937->16944 16945 45a554-45a568 call 40b270 16937->16945 16951 45abf0-45abf7 16944->16951 16952 45a58c-45a5ac call 46a4a0 16944->16952 16949 45a56d-45a56f 16945->16949 16949->16944 16950 45ac08-45ac0f 16949->16950 16954 45ac37-45ac61 call 4097d0 16950->16954 16956 45ac11-45ac35 call 40e5b0 16950->16956 16951->16954 16955 45abf9-45ac00 call 40b300 16951->16955 16961 45a5b0-45a5b4 16952->16961 16964 45ac66-45ac99 call 469d40 call 40b1a0 16954->16964 16962 45ac05 16955->16962 16956->16964 16965 45abdb-45abee call 41ab40 16961->16965 16966 45a5ba-45a5c6 16961->16966 16962->16950 16979 45acbc-45accd call 4627d0 16964->16979 16980 45ac9b-45acaf call 40b270 16964->16980 16965->16950 16965->16951 16970 45a5cc-45a5d5 call 4627d0 16966->16970 16971 45abcb-45abd6 call 466d00 16966->16971 16970->16971 16981 45a5db-45a5ed call 462870 call 462800 16970->16981 16971->16961 16989 45acd3-45acea call 46a4a0 16979->16989 16990 45b339-45b340 16979->16990 16985 45acb4-45acb6 16980->16985 16995 45a5f2-45a603 call 461af0 16981->16995 16985->16979 16988 45b351-45b388 call 402af0 * 2 16985->16988 17002 45acf0-45acf4 16989->17002 16990->16988 16993 45b342-45b349 call 40b300 16990->16993 17003 45b34e 16993->17003 16995->16971 17005 45a609-45a62e call 461c00 call 46a4a0 16995->17005 17006 45b327-45b337 call 41ab40 17002->17006 17007 45acfa-45ad06 17002->17007 17003->16988 17022 45a630-45a634 17005->17022 17006->16988 17006->16990 17010 45b311-45b322 call 466d00 17007->17010 17011 45ad0c-45ad15 call 4627d0 17007->17011 17010->17002 17011->17010 17019 45ad1b-45ad2d call 462870 call 462800 17011->17019 17029 45ad32-45ad43 call 461af0 17019->17029 17024 45abaf-45abc6 call 41ab40 call 461bb0 17022->17024 17025 45a63a-45a64c call 4627d0 17022->17025 17024->16995 17033 45a652-45a66f call 4655d0 17025->17033 17034 45ab9f-45abaa call 466d00 17025->17034 17029->17010 17040 45ad49-45ad6b call 461c00 call 46a4a0 17029->17040 17044 45a675-45a67f 17033->17044 17045 45a708-45a725 call 4655d0 17033->17045 17034->17022 17059 45ad70-45ad74 17040->17059 17048 45a681-45a68a 17044->17048 17055 45a7c6-45a7e3 call 4655d0 17045->17055 17056 45a72b-45a72f 17045->17056 17049 45a68c-45a699 17048->17049 17050 45a69b-45a6ed call 469e70 call 465430 call 402af0 call 40b1a0 17048->17050 17049->17048 17050->17045 17106 45a6ef-45a703 call 40b270 17050->17106 17066 45a7e5-45a818 call 409940 call 465450 17055->17066 17067 45a81d-45a846 call 40aaa0 17055->17067 17056->17055 17057 45a735-45a73f 17056->17057 17062 45a741-45a74a 17057->17062 17064 45b2f8-45b30c call 41ab40 call 461bb0 17059->17064 17065 45ad7a-45ad8c call 4627d0 17059->17065 17068 45a74c-45a759 17062->17068 17069 45a75b-45a7ab call 469e70 call 465430 call 402af0 call 40b1a0 17062->17069 17064->17029 17080 45b2e2-45b2f3 call 466d00 17065->17080 17081 45ad92-45adaf call 4655d0 17065->17081 17104 45a974-45a9b2 call 40ab00 call 4e2a50 17066->17104 17091 45a876-45a88f call 4029f0 17067->17091 17092 45a848-45a874 call 40ab30 call 469e70 17067->17092 17068->17062 17069->17055 17133 45a7ad-45a7c1 call 40b270 17069->17133 17080->17059 17102 45adb5-45adbf 17081->17102 17103 45ae48-45ae65 call 4655d0 17081->17103 17108 45a892-45a89f 17091->17108 17092->17108 17110 45adc1-45adca 17102->17110 17124 45af06-45af23 call 4655d0 17103->17124 17125 45ae6b-45ae6f 17103->17125 17140 45ab67-45ab9a call 402af0 * 3 17104->17140 17141 45a9b8-45a9cf call 462870 call 462800 17104->17141 17106->17045 17115 45a8a1-45a8aa 17108->17115 17117 45adcc-45add9 17110->17117 17118 45addb-45ae2d call 469e70 call 465430 call 402af0 call 40b1a0 17110->17118 17122 45a8ac-45a8b9 17115->17122 17123 45a8bb-45a941 call 469e70 call 46a040 call 469dd0 call 465430 call 402af0 * 3 17115->17123 17117->17110 17118->17103 17180 45ae2f-45ae43 call 40b270 17118->17180 17122->17115 17225 45a954-45a95e 17123->17225 17226 45a943-45a94f call 402af0 17123->17226 17144 45af25-45af5c call 40e700 call 465450 17124->17144 17145 45af61-45af8a call 40aaa0 17124->17145 17125->17124 17131 45ae75-45ae7f 17125->17131 17137 45ae81-45ae8a 17131->17137 17133->17055 17146 45ae8c-45ae99 17137->17146 17147 45ae9b-45aeeb call 469e70 call 465430 call 402af0 call 40b1a0 17137->17147 17140->17034 17173 45a9d0-45a9e1 call 461af0 17141->17173 17186 45b0b8-45b0f3 call 40ab00 call 4e2a50 17144->17186 17170 45afd3-45afec call 4029f0 17145->17170 17171 45af8c-45af96 17145->17171 17146->17137 17147->17124 17209 45aeed-45af01 call 40b270 17147->17209 17192 45afef-45b085 call 40ab30 call 469e70 call 46a040 call 469dd0 call 465430 call 402af0 * 3 17170->17192 17172 45af98-45afa1 17171->17172 17181 45afa3-45afb0 17172->17181 17182 45afb2-45afd1 call 469e70 17172->17182 17198 45a9e7-45aa47 call 461c00 call 4029f0 * 2 call 40aaa0 call 46a190 17173->17198 17199 45ab5e-45ab64 call 4e62d8 17173->17199 17180->17103 17181->17172 17182->17192 17216 45b0f9-45b10b call 462870 call 462800 17186->17216 17217 45b2aa-45b2dd call 402af0 * 3 17186->17217 17278 45b087-45b093 call 402af0 17192->17278 17279 45b098-45b0a2 17192->17279 17254 45aa80-45aaa4 call 409250 call 46a190 17198->17254 17255 45aa49-45aa7b call 40aaa0 call 46a190 call 470d50 17198->17255 17199->17140 17209->17124 17240 45b110-45b121 call 461af0 17216->17240 17217->17080 17232 45a971 17225->17232 17233 45a960-45a96c call 402af0 17225->17233 17226->17225 17232->17104 17233->17232 17252 45b127-45b180 call 461c00 call 4029f0 * 2 call 409220 call 46a190 17240->17252 17253 45b2a1-45b2a7 call 4e62d8 17240->17253 17299 45b1b2-45b1e0 call 40aaa0 call 46a190 17252->17299 17300 45b182-45b1ad call 409220 call 46a190 call 470d50 17252->17300 17253->17217 17280 45aaa6-45aace call 409250 call 46a190 call 470d50 17254->17280 17281 45aad3-45ab59 call 40aad0 call 402fd0 call 402af0 * 2 call 461bb0 17254->17281 17255->17254 17278->17279 17285 45b0b5 17279->17285 17286 45b0a4-45b0b0 call 402af0 17279->17286 17280->17281 17281->17173 17285->17186 17286->17285 17314 45b1e2-45b214 call 40aaa0 call 46a190 call 470d50 17299->17314 17315 45b219-45b29c call 40aad0 call 402fd0 call 402af0 * 2 call 461bb0 17299->17315 17300->17299 17314->17315 17315->17240
                                                                                                                                                                                            Strings
                                                                                                                                                                                            Memory Dump Source
                                                                                                                                                                                            • Source File: 00000000.00000002.2499170949.0000000000400000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                                                            Joe Sandbox IDA Plugin
                                                                                                                                                                                            • Snapshot File: hcaresult_0_2_400000_dendy.jbxd
                                                                                                                                                                                            Yara matches
                                                                                                                                                                                            Similarity
                                                                                                                                                                                            • API ID: AttributesCreateDirectoryErrorFileLast
                                                                                                                                                                                            • String ID: !$!$!$!$!$!$!<$!<$"$"
                                                                                                                                                                                            • API String ID: 674977465-4268256857
                                                                                                                                                                                            • Opcode ID: 27049611b3e27e7561ed8f9592854416b11846d9743bc27a38aae9a19c33b6d1
                                                                                                                                                                                            • Instruction ID: 5d91988631de9c64da63e99e6f9eee4dff0cc50ce4f01ab050edeb8638314a4c
                                                                                                                                                                                            • Opcode Fuzzy Hash: 27049611b3e27e7561ed8f9592854416b11846d9743bc27a38aae9a19c33b6d1
                                                                                                                                                                                            • Instruction Fuzzy Hash: 1592BF30804298DEDB21DB65C9557DEBBB0AF11308F0441DED44A77292EBB81F89DF9A
                                                                                                                                                                                            Uniqueness

                                                                                                                                                                                            Uniqueness Score: -1.00%

                                                                                                                                                                                            Function 0041AB90 Relevance: 13.0, Strings: 9, Instructions: 1711COMMON
                                                                                                                                                                                            Download Yara Rule

                                                                                                                                                                                            Control-flow Graph

                                                                                                                                                                                            • Executed
                                                                                                                                                                                            • Not Executed
                                                                                                                                                                                            control_flow_graph 17333 41ab90-41ac4c call 402d90 call 402d00 call 402d90 call 402d00 call 402d90 call 402d00 17346 41b492-41b49d call 4654b0 17333->17346 17347 41ac52-41ad6b call 402d90 call 402d00 call 4dc8a2 call 481a30 call 402d90 call 46b720 call 402d90 call 402d00 call 462420 call 402d90 17333->17347 17350 41b4a2-41b4a9 17346->17350 17449 41ad70-41ad75 17347->17449 17352 41c7d9-41c7e0 17350->17352 17353 41b4af-41b64f call 402d90 call 402d00 call 4dc8a2 call 481a30 call 402d90 call 46b720 call 402d90 call 402d00 call 4619a0 call 469e70 call 482190 17350->17353 17356 41c7e2-41c804 call 4622b0 call 4650c0 17352->17356 17357 41c80a-41c871 call 4655d0 call 467df0 call 407d90 call 4655d0 call 41d840 17352->17357 17480 41b655-41b696 call 46a630 17353->17480 17481 41b98a-41b9c0 call 402af0 17353->17481 17356->17357 17378 41ce08-41ce0f 17356->17378 17406 41cc43-41cc81 call 4655d0 call 402af0 17357->17406 17407 41c877-41c87e 17357->17407 17382 41ce11-41ce22 call 4654b0 17378->17382 17383 41ce24-41ce41 call 4622e0 17378->17383 17394 41ce5c-41ce63 17382->17394 17395 41ce44-41ce49 17383->17395 17401 41ce65-41ce7a call 4622b0 17394->17401 17402 41ce99-41cea0 17394->17402 17395->17395 17399 41ce4b-41ce57 call 465330 17395->17399 17399->17394 17425 41ce80-41ce85 17401->17425 17410 41cea2-41cebf call 4622e0 17402->17410 17411 41cedb-41cf7a call 4655d0 * 2 call 402af0 * 3 17402->17411 17444 41cc87-41ccc4 call 46a630 17406->17444 17445 41cddd-41ce04 call 402af0 17406->17445 17407->17406 17416 41c884-41c88d GetPEB 17407->17416 17427 41cec2-41cec7 17410->17427 17424 41c890-41c8a4 17416->17424 17431 41c8f7-41c8f9 17424->17431 17432 41c8a6-41c8ab 17424->17432 17425->17425 17433 41ce87-41ce94 call 465330 17425->17433 17427->17427 17435 41cec9-41ced6 call 465330 17427->17435 17431->17424 17432->17431 17439 41c8ad-41c8b3 17432->17439 17433->17402 17435->17411 17447 41c8b5-41c8c7 17439->17447 17464 41cdc8-41cdd8 call 466ee0 17444->17464 17465 41ccca-41cd1e call 4622e0 call 46a190 call 46a2d0 17444->17465 17445->17378 17454 41c8f0-41c8f5 17447->17454 17455 41c8c9 17447->17455 17449->17449 17456 41ad77-41ada0 call 402d00 call 482190 17449->17456 17454->17431 17454->17447 17461 41c8d0-41c8e2 17455->17461 17485 41af30-41af66 call 402af0 17456->17485 17486 41ada6-41ade7 call 46a630 17456->17486 17461->17461 17467 41c8e4-41c8ea 17461->17467 17464->17445 17500 41cd20-41cd2e call 402af0 call 402c90 17465->17500 17501 41cd33-41cd93 call 402af0 call 462310 call 46a190 call 46a2d0 17465->17501 17467->17454 17473 41cc19-41cc3d 17467->17473 17473->17406 17473->17416 17498 41b975-41b985 call 466ee0 17480->17498 17499 41b69c-41b6cc call 462310 call 46a190 17480->17499 17494 41b9c2-41b9c9 17481->17494 17495 41b9f7-41bba6 call 402d90 call 402d00 call 4dc8a2 call 481a30 call 402d90 call 46b720 call 402d90 call 402d00 call 461910 call 469e70 call 482190 17481->17495 17485->17353 17506 41af6c-41b121 call 402d90 call 402d00 call 4dc8a2 call 481a30 call 402d90 call 46b720 call 402d90 call 402d00 call 461cd0 call 402d90 17485->17506 17504 41af1b-41af2b call 466ee0 17486->17504 17505 41aded-41ae15 call 4622b0 call 46a190 17486->17505 17494->17495 17503 41b9cb-41b9f1 call 4622b0 call 402940 17494->17503 17644 41bbab-41bbb0 17495->17644 17498->17481 17499->17498 17533 41b6d2-41b757 call 462310 call 46a190 call 4622e0 call 46a190 17499->17533 17500->17501 17564 41cd95-41cda3 call 402af0 call 402c90 17501->17564 17565 41cda8-41cdc4 call 402af0 17501->17565 17503->17495 17541 41c020-41c027 17503->17541 17504->17485 17505->17504 17542 41ae1b-41aeae call 4622b0 call 46a190 call 46a2d0 call 4654e0 call 402af0 call 4622b0 call 46a190 17505->17542 17642 41b124-41b129 17506->17642 17597 41b825-41b8a7 call 462310 call 46a190 call 462310 call 46a190 17533->17597 17598 41b75d-41b821 call 462310 call 46a190 call 4622e0 call 46a190 call 46a2d0 call 4654e0 call 402af0 17533->17598 17543 41c029-41c030 17541->17543 17544 41c05a-41c23f call 402d90 call 402d00 call 4dc8a2 call 481a30 call 402d90 call 46b720 call 402d90 call 402d00 call 4618e0 call 402d90 17541->17544 17542->17504 17641 41aeb0-41af17 call 4622b0 call 46a190 call 46a2d0 call 4654e0 call 402af0 17542->17641 17543->17544 17551 41c032-41c054 call 4622b0 call 4650c0 17543->17551 17689 41c240-41c245 17544->17689 17551->17352 17551->17544 17564->17565 17565->17464 17597->17498 17649 41b8ad-41b971 call 462310 call 46a190 call 462310 call 46a190 call 46a2d0 call 4654e0 call 402af0 17597->17649 17598->17597 17641->17504 17642->17642 17648 41b12b-41b154 call 402d00 call 482190 17642->17648 17650 41bff1-41c019 call 402af0 17644->17650 17651 41bbb6-41bbf7 call 46a630 17644->17651 17684 41b24b-41b27a call 402af0 17648->17684 17685 41b15a-41b19b call 46a630 17648->17685 17649->17498 17650->17541 17672 41bbfd-41bc5e call 462150 call 46a190 17651->17672 17673 41bfdc-41bfec call 466ee0 17651->17673 17672->17673 17707 41bc64-41bd36 call 462150 call 46a190 call 462240 call 46a190 17672->17707 17673->17650 17684->17350 17704 41b1a1-41b1c9 call 4622b0 call 46a190 17685->17704 17705 41b236-41b246 call 466ee0 17685->17705 17689->17689 17695 41c247-41c270 call 402d00 call 482190 17689->17695 17717 41c276-41c2b7 call 46a630 17695->17717 17718 41c7aa-41c7d2 call 402af0 17695->17718 17704->17705 17727 41b1cb-41b232 call 4622b0 call 46a190 call 46a2d0 call 4654e0 call 402af0 17704->17727 17705->17684 17745 41be51-41bef2 call 462150 call 46a190 call 462310 call 46a190 17707->17745 17746 41bd3c-41be4d call 462150 call 46a190 call 462240 call 46a190 call 46a2d0 call 4654e0 call 402af0 17707->17746 17735 41c795-41c7a5 call 466ee0 17717->17735 17736 41c2bd-41c317 call 4622e0 call 46a190 17717->17736 17718->17352 17727->17705 17735->17718 17736->17735 17755 41c31d-41c377 call 4622e0 call 46a190 17736->17755 17745->17673 17779 41bef8-41bfd8 call 462150 call 46a190 call 462310 call 46a190 call 46a2d0 call 4654e0 call 402af0 17745->17779 17746->17745 17755->17735 17772 41c37d-41c433 call 4622e0 call 46a190 call 462150 call 46a190 17755->17772 17772->17735 17799 41c439-41c4ef call 4622e0 call 46a190 call 462150 call 46a190 17772->17799 17779->17673 17799->17735 17815 41c4f5-41c5a4 call 462310 call 46a190 call 462510 call 46a190 call 4622b0 call 46a190 17799->17815 17815->17735 17828 41c5aa-41c791 call 4622e0 call 46a190 call 462150 call 46a190 call 46a2d0 call 4654e0 call 402af0 call 462310 call 46a190 call 462510 call 46a190 call 4622b0 call 46a190 call 46a2d0 call 4654e0 call 402af0 17815->17828 17828->17735
                                                                                                                                                                                            Strings
                                                                                                                                                                                            Memory Dump Source
                                                                                                                                                                                            • Source File: 00000000.00000002.2499170949.0000000000400000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                                                            Joe Sandbox IDA Plugin
                                                                                                                                                                                            • Snapshot File: hcaresult_0_2_400000_dendy.jbxd
                                                                                                                                                                                            Yara matches
                                                                                                                                                                                            Similarity
                                                                                                                                                                                            • API ID: AddressProc$HandleModule
                                                                                                                                                                                            • String ID: '$$'$$'$$'$$Content-Type: application/x-www-form-urlencoded$R$https://ipinfo.io/$https://www.maxmind.com/en/locate-my-ip-address$v
                                                                                                                                                                                            • API String ID: 667068680-2061937629
                                                                                                                                                                                            • Opcode ID: 826fd57540206e3bf1e6079d5728c1854fc311df49381f8b6000cc1682075660
                                                                                                                                                                                            • Instruction ID: 405d04aefb3fce8c0c0cc81f026dd962f33e5c7b4d644263dc3e8c158a3863fa
                                                                                                                                                                                            • Opcode Fuzzy Hash: 826fd57540206e3bf1e6079d5728c1854fc311df49381f8b6000cc1682075660
                                                                                                                                                                                            • Instruction Fuzzy Hash: 09139B308086D9D9DB22D768CD587DDBFB05F22318F0442DAD0997B2D2D7B80B89DB66
                                                                                                                                                                                            Uniqueness

                                                                                                                                                                                            Uniqueness Score: -1.00%

                                                                                                                                                                                            Function 0040C490 Relevance: 12.7, APIs: 4, Strings: 3, Instructions: 416registryCOMMON
                                                                                                                                                                                            Download Yara Rule

                                                                                                                                                                                            Control-flow Graph

                                                                                                                                                                                            • Executed
                                                                                                                                                                                            • Not Executed
                                                                                                                                                                                            control_flow_graph 17861 40c490-40c4e0 call 40af30 17864 40c4e2-40c4ed 17861->17864 17864->17864 17865 40c4ef-40c50e 17864->17865 17866 40c510-40c515 17865->17866 17866->17866 17867 40c517-40c54c call 402d00 17866->17867 17870 40c550-40c55b 17867->17870 17870->17870 17871 40c55d-40c579 RegOpenKeyExA 17870->17871 17872 40c606-40c61a 17871->17872 17873 40c57f-40c5a4 17871->17873 17875 40c620-40c62b 17872->17875 17874 40c5a8-40c5b3 17873->17874 17874->17874 17876 40c5b5-40c5d9 RegQueryValueExA 17874->17876 17875->17875 17877 40c62d-40c64f 17875->17877 17878 40c5db-40c5e1 17876->17878 17879 40c5fd-40c600 RegCloseKey 17876->17879 17880 40c650-40c655 17877->17880 17881 40c5e4-40c5e9 17878->17881 17879->17872 17880->17880 17882 40c657-40c68f call 402d00 call 4debe0 GetCurrentHwProfileA 17880->17882 17881->17881 17884 40c5eb-40c5f8 call 465330 17881->17884 17889 40c691-40c69a 17882->17889 17890 40c6bc-40c701 call 40bfc0 call 40bf20 17882->17890 17884->17879 17891 40c6a0-40c6a5 17889->17891 17898 40c704-40c709 17890->17898 17891->17891 17893 40c6a7-40c6b7 call 465330 17891->17893 17893->17890 17898->17898 17899 40c70b-40c719 17898->17899 17900 40ca7e call 402400 17899->17900 17901 40c71f-40c84e call 46daa0 call 468210 call 469dd0 call 46d910 call 469dd0 call 46a040 call 402af0 * 3 17899->17901 17905 40ca83 call 4e1ea0 17900->17905 17926 40c850-40c85c 17901->17926 17927 40c87c-40c93c call 402af0 * 3 17901->17927 17909 40ca88-40ca8f call 4e1ea0 17905->17909 17928 40c872-40c879 call 4dcb23 17926->17928 17929 40c85e-40c86c 17926->17929 17938 40c96b-40c96d 17927->17938 17939 40c93e 17927->17939 17928->17927 17929->17905 17929->17928 17940 40c993 17938->17940 17941 40c96f-40c991 call 4de4a0 17938->17941 17942 40c943-40c960 call 483470 17939->17942 17945 40c99d-40c9b1 call 4832e0 17940->17945 17941->17945 17949 40c962-40c968 17942->17949 17951 40c9d2-40c9ef 17945->17951 17952 40c9b3-40c9ce 17945->17952 17949->17938 17953 40c9f0-40c9f5 17951->17953 17952->17951 17953->17953 17954 40c9f7-40ca31 call 402d00 call 402af0 * 2 17953->17954 17961 40ca33-40ca3f 17954->17961 17962 40ca5b-40ca7d 17954->17962 17963 40ca51-40ca58 call 4dcb23 17961->17963 17964 40ca41-40ca4f 17961->17964 17963->17962 17964->17909 17964->17963
                                                                                                                                                                                            APIs
                                                                                                                                                                                              • Part of subcall function 0040AF30: GetCurrentProcess.KERNEL32(00000000,?,?,0040C4BE), ref: 0040AF3F
                                                                                                                                                                                              • Part of subcall function 0040AF30: IsWow64Process.KERNEL32(00000000,?,0040C4BE), ref: 0040AF46
                                                                                                                                                                                            • RegOpenKeyExA.KERNELBASE(80000002,?,00000000,-00020019,00000000,EE141028,EE141029,00000000), ref: 0040C571
                                                                                                                                                                                            • RegQueryValueExA.KERNELBASE(00000000,E81C1F30,00000000,00020019,?,00000400), ref: 0040C5D1
                                                                                                                                                                                            • RegCloseKey.ADVAPI32(00000000), ref: 0040C600
                                                                                                                                                                                            • GetCurrentHwProfileA.ADVAPI32(?), ref: 0040C687
                                                                                                                                                                                            Strings
                                                                                                                                                                                            Memory Dump Source
                                                                                                                                                                                            • Source File: 00000000.00000002.2499170949.0000000000400000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                                                            Joe Sandbox IDA Plugin
                                                                                                                                                                                            • Snapshot File: hcaresult_0_2_400000_dendy.jbxd
                                                                                                                                                                                            Yara matches
                                                                                                                                                                                            Similarity
                                                                                                                                                                                            • API ID: CurrentProcess$CloseOpenProfileQueryValueWow64
                                                                                                                                                                                            • String ID: _$_$___
                                                                                                                                                                                            • API String ID: 165412945-3771204864
                                                                                                                                                                                            • Opcode ID: 494c1fda814901c24b13ed7c4ecfc889797ab3f93025f499c3c38bde76937db5
                                                                                                                                                                                            • Instruction ID: 5751222aa254f6d9748874ec03cc5a69f204ea5eca6779fec1b35b27ceae82dc
                                                                                                                                                                                            • Opcode Fuzzy Hash: 494c1fda814901c24b13ed7c4ecfc889797ab3f93025f499c3c38bde76937db5
                                                                                                                                                                                            • Instruction Fuzzy Hash: EB02E470C00258DEDB15CFA4C854BEEBBB4AF15308F1442AEE44577292EBB85B88CF95
                                                                                                                                                                                            Uniqueness

                                                                                                                                                                                            Uniqueness Score: -1.00%

                                                                                                                                                                                            Function 004224D9 Relevance: 12.4, Strings: 9, Instructions: 1131COMMON
                                                                                                                                                                                            Download Yara Rule
                                                                                                                                                                                            Strings
                                                                                                                                                                                            Memory Dump Source
                                                                                                                                                                                            • Source File: 00000000.00000002.2499170949.0000000000400000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                                                            Joe Sandbox IDA Plugin
                                                                                                                                                                                            • Snapshot File: hcaresult_0_2_400000_dendy.jbxd
                                                                                                                                                                                            Yara matches
                                                                                                                                                                                            Similarity
                                                                                                                                                                                            • API ID:
                                                                                                                                                                                            • String ID: $'7/$'7/$)$@$\$\$\$cannot use operator[] with a string argument with
                                                                                                                                                                                            • API String ID: 0-332647325
                                                                                                                                                                                            • Opcode ID: 801aa9ebdc0525f9831b497621d126c51bda5b67daad67d996e4387aabdf3845
                                                                                                                                                                                            • Instruction ID: 61e97b4625812ccfc18c7b84ada4c7f8c9f9400c5d91a0ded182efbc8a5c6066
                                                                                                                                                                                            • Opcode Fuzzy Hash: 801aa9ebdc0525f9831b497621d126c51bda5b67daad67d996e4387aabdf3845
                                                                                                                                                                                            • Instruction Fuzzy Hash: 4EA2E170E00268DBDB14DF68D9447EEBBB0BF15304F14419EE449AB382DB78AE85CB95
                                                                                                                                                                                            Uniqueness

                                                                                                                                                                                            Uniqueness Score: -1.00%

                                                                                                                                                                                            Function 00423670 Relevance: 11.7, APIs: 1, Strings: 5, Instructions: 1183COMMON
                                                                                                                                                                                            Download Yara Rule
                                                                                                                                                                                            APIs
                                                                                                                                                                                            • SHGetFolderPathA.SHELL32(00000000,?,00000000,00000000,?,?,?,?), ref: 004237AB
                                                                                                                                                                                            Strings
                                                                                                                                                                                            Memory Dump Source
                                                                                                                                                                                            • Source File: 00000000.00000002.2499170949.0000000000400000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                                                            Joe Sandbox IDA Plugin
                                                                                                                                                                                            • Snapshot File: hcaresult_0_2_400000_dendy.jbxd
                                                                                                                                                                                            Yara matches
                                                                                                                                                                                            Similarity
                                                                                                                                                                                            • API ID: FolderPath
                                                                                                                                                                                            • String ID: $@$\$\$\
                                                                                                                                                                                            • API String ID: 1514166925-3855809014
                                                                                                                                                                                            • Opcode ID: cb9a08416f5a44a1aed852bb4bce2c0a1a148f8c2640d52e8ffd3e837192ccae
                                                                                                                                                                                            • Instruction ID: f3345cdad3a7bf631cb8bea3eb755c4a26d33441534220e24a94c3e683fde97c
                                                                                                                                                                                            • Opcode Fuzzy Hash: cb9a08416f5a44a1aed852bb4bce2c0a1a148f8c2640d52e8ffd3e837192ccae
                                                                                                                                                                                            • Instruction Fuzzy Hash: 4DB2D070E00268CBDB14DF68D9447EEBBB1BF55304F14429EE449AB382DB785E84CB95
                                                                                                                                                                                            Uniqueness

                                                                                                                                                                                            Uniqueness Score: -1.00%

                                                                                                                                                                                            Function 00422852 Relevance: 10.8, Strings: 8, Instructions: 811COMMON
                                                                                                                                                                                            Download Yara Rule
                                                                                                                                                                                            Strings
                                                                                                                                                                                            Memory Dump Source
                                                                                                                                                                                            • Source File: 00000000.00000002.2499170949.0000000000400000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                                                            Joe Sandbox IDA Plugin
                                                                                                                                                                                            • Snapshot File: hcaresult_0_2_400000_dendy.jbxd
                                                                                                                                                                                            Yara matches
                                                                                                                                                                                            Similarity
                                                                                                                                                                                            • API ID:
                                                                                                                                                                                            • String ID: $ $'7/$'7/$)$\$\$cannot use operator[] with a string argument with
                                                                                                                                                                                            • API String ID: 0-3193137110
                                                                                                                                                                                            • Opcode ID: 0cdb4320ce717c51c1e3663c5c95e3e42166bb38a92de2325e9aa405f1978a16
                                                                                                                                                                                            • Instruction ID: 707055d3f69e4e07746b85a66c6cfd133f65ba6d7924feda5609f4cec4274315
                                                                                                                                                                                            • Opcode Fuzzy Hash: 0cdb4320ce717c51c1e3663c5c95e3e42166bb38a92de2325e9aa405f1978a16
                                                                                                                                                                                            • Instruction Fuzzy Hash: 3372E270E00268DBDB24DF68D9457EEBBB0BF15308F14429ED44967382DB789A84CF95
                                                                                                                                                                                            Uniqueness

                                                                                                                                                                                            Uniqueness Score: -1.00%

                                                                                                                                                                                            Function 0041FA10 Relevance: 10.8, APIs: 4, Strings: 2, Instructions: 271fileCOMMON
                                                                                                                                                                                            Download Yara Rule
                                                                                                                                                                                            APIs
                                                                                                                                                                                            • FindFirstFileA.KERNELBASE(?,?,?,?,?,?,?,?,?,?,?,01005421,?,?,01005421,01005422), ref: 0041FAA5
                                                                                                                                                                                            Strings
                                                                                                                                                                                            Memory Dump Source
                                                                                                                                                                                            • Source File: 00000000.00000002.2499170949.0000000000400000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                                                            Joe Sandbox IDA Plugin
                                                                                                                                                                                            • Snapshot File: hcaresult_0_2_400000_dendy.jbxd
                                                                                                                                                                                            Yara matches
                                                                                                                                                                                            Similarity
                                                                                                                                                                                            • API ID: FileFindFirst
                                                                                                                                                                                            • String ID: !T$\
                                                                                                                                                                                            • API String ID: 1974802433-3242880338
                                                                                                                                                                                            • Opcode ID: 8fa89b8a99d316467619f03f1f750873defb4ff755c165f81a6727646345314b
                                                                                                                                                                                            • Instruction ID: ad49764b5419d78d6ee9c6c252fc79b52b8fec3596e44256030d9def55ac6d48
                                                                                                                                                                                            • Opcode Fuzzy Hash: 8fa89b8a99d316467619f03f1f750873defb4ff755c165f81a6727646345314b
                                                                                                                                                                                            • Instruction Fuzzy Hash: 6CB1D0709002498FDF15CFA8C8547FEBBB0BF15308F14425EE455AB292D7785A8ADB94
                                                                                                                                                                                            Uniqueness

                                                                                                                                                                                            Uniqueness Score: -1.00%

                                                                                                                                                                                            Function 00406430 Relevance: 9.1, APIs: 4, Strings: 1, Instructions: 352COMMON
                                                                                                                                                                                            Download Yara Rule
                                                                                                                                                                                            APIs
                                                                                                                                                                                            • ___std_fs_directory_iterator_advance@8.LIBCPMT ref: 004065C1
                                                                                                                                                                                            • ___std_fs_directory_iterator_advance@8.LIBCPMT ref: 004065FE
                                                                                                                                                                                            • ___std_fs_directory_iterator_advance@8.LIBCPMT ref: 004066F1
                                                                                                                                                                                            • ___std_fs_directory_iterator_advance@8.LIBCPMT ref: 0040673E
                                                                                                                                                                                            Strings
                                                                                                                                                                                            Memory Dump Source
                                                                                                                                                                                            • Source File: 00000000.00000002.2499170949.0000000000400000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                                                            Joe Sandbox IDA Plugin
                                                                                                                                                                                            • Snapshot File: hcaresult_0_2_400000_dendy.jbxd
                                                                                                                                                                                            Yara matches
                                                                                                                                                                                            Similarity
                                                                                                                                                                                            • API ID: ___std_fs_directory_iterator_advance@8
                                                                                                                                                                                            • String ID: .
                                                                                                                                                                                            • API String ID: 2610647541-248832578
                                                                                                                                                                                            • Opcode ID: 8417005a20e023fd73ba9afad58ff86ec2193d77c7355dce5408bdd34dd6c1b5
                                                                                                                                                                                            • Instruction ID: 0ef23cfc4c65f78b20a5b115fbe71865ac88f3790106b09d81af8426c26c804f
                                                                                                                                                                                            • Opcode Fuzzy Hash: 8417005a20e023fd73ba9afad58ff86ec2193d77c7355dce5408bdd34dd6c1b5
                                                                                                                                                                                            • Instruction Fuzzy Hash: 5AD1D071900616DFCB20CF58C8947AEB7B4FF48328F15466AD816A77C0D73AAD65CB84
                                                                                                                                                                                            Uniqueness

                                                                                                                                                                                            Uniqueness Score: -1.00%

                                                                                                                                                                                            Function 0043CA90 Relevance: 9.1, APIs: 1, Strings: 3, Instructions: 2057COMMON
                                                                                                                                                                                            Download Yara Rule
                                                                                                                                                                                            APIs
                                                                                                                                                                                            • CredEnumerateA.ADVAPI32(00000000,00000001,00000000,?,?,?,E9181111,E9181112,00000001), ref: 0043DFD9
                                                                                                                                                                                              • Part of subcall function 0040AF70: GetModuleHandleA.KERNEL32(EC1B0A33), ref: 0040AFE5
                                                                                                                                                                                              • Part of subcall function 0040AF70: GetProcAddress.KERNEL32(00000000,C7130A2F), ref: 0040AFF0
                                                                                                                                                                                            Strings
                                                                                                                                                                                            Memory Dump Source
                                                                                                                                                                                            • Source File: 00000000.00000002.2499170949.0000000000400000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                                                            Joe Sandbox IDA Plugin
                                                                                                                                                                                            • Snapshot File: hcaresult_0_2_400000_dendy.jbxd
                                                                                                                                                                                            Yara matches
                                                                                                                                                                                            Similarity
                                                                                                                                                                                            • API ID: AddressCredEnumerateHandleModuleProc
                                                                                                                                                                                            • String ID: !$cannot use operator[] with a string argument with $hHS
                                                                                                                                                                                            • API String ID: 2949927473-2773771920
                                                                                                                                                                                            • Opcode ID: 52aeae85547f70baa02dcd7f0409400fa51b087c8b8a370bd9cfa4d6aa2d3ef5
                                                                                                                                                                                            • Instruction ID: 78b22a16384c3ecc8d55ced8a7577b3d60f2d080a590db0f4769b14bcf33a1ff
                                                                                                                                                                                            • Opcode Fuzzy Hash: 52aeae85547f70baa02dcd7f0409400fa51b087c8b8a370bd9cfa4d6aa2d3ef5
                                                                                                                                                                                            • Instruction Fuzzy Hash: 1713AB30D042988FDB25CF68C894BEEBBB1AF59304F1481DED44967382DB785A89CF95
                                                                                                                                                                                            Uniqueness

                                                                                                                                                                                            Uniqueness Score: -1.00%

                                                                                                                                                                                            Function 0045D9F0 Relevance: 7.7, APIs: 5, Instructions: 159sleepCOMMON
                                                                                                                                                                                            Download Yara Rule
                                                                                                                                                                                            APIs
                                                                                                                                                                                            • GetCursorPos.USER32(?), ref: 0045DA07
                                                                                                                                                                                            • GetCursorPos.USER32(?), ref: 0045DA15
                                                                                                                                                                                            • Sleep.KERNELBASE(000003E9,?,?,00000000,?,?,?,?,?,?,?,?,0045DDB8), ref: 0045DACA
                                                                                                                                                                                            • GetCursorPos.USER32(?), ref: 0045DAD1
                                                                                                                                                                                            • Sleep.KERNELBASE(00000001,?,?,00000000,?,?,?,?,?,?,?,?,0045DDB8), ref: 0045DB87
                                                                                                                                                                                            Memory Dump Source
                                                                                                                                                                                            • Source File: 00000000.00000002.2499170949.0000000000400000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                                                            Joe Sandbox IDA Plugin
                                                                                                                                                                                            • Snapshot File: hcaresult_0_2_400000_dendy.jbxd
                                                                                                                                                                                            Yara matches
                                                                                                                                                                                            Similarity
                                                                                                                                                                                            • API ID: Cursor$Sleep
                                                                                                                                                                                            • String ID:
                                                                                                                                                                                            • API String ID: 1847515627-0
                                                                                                                                                                                            • Opcode ID: 1694e71d0dae9a6905e43d5e89c9cdb7d8dc5d3e0a04ac429a78049a9d30e692
                                                                                                                                                                                            • Instruction ID: bbdc7af5ffbae6873724ca49be0fa542b01cacdbe8070c35df16c5b9ace19829
                                                                                                                                                                                            • Opcode Fuzzy Hash: 1694e71d0dae9a6905e43d5e89c9cdb7d8dc5d3e0a04ac429a78049a9d30e692
                                                                                                                                                                                            • Instruction Fuzzy Hash: 7E519831A082428FC724CF18C4D0E6AB7E2EF89705F1A499AE8859B352D735FD09CB85
                                                                                                                                                                                            Uniqueness

                                                                                                                                                                                            Uniqueness Score: -1.00%

                                                                                                                                                                                            Function 00422360 Relevance: 7.4, APIs: 1, Strings: 3, Instructions: 365COMMON
                                                                                                                                                                                            Download Yara Rule
                                                                                                                                                                                            APIs
                                                                                                                                                                                            • SHGetFolderPathA.SHELL32(00000000,?,00000000,00000000,?,?,?,EF0B0B1C,?,?,?,?), ref: 00422491
                                                                                                                                                                                            Strings
                                                                                                                                                                                            Memory Dump Source
                                                                                                                                                                                            • Source File: 00000000.00000002.2499170949.0000000000400000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                                                            Joe Sandbox IDA Plugin
                                                                                                                                                                                            • Snapshot File: hcaresult_0_2_400000_dendy.jbxd
                                                                                                                                                                                            Yara matches
                                                                                                                                                                                            Similarity
                                                                                                                                                                                            • API ID: FolderPath
                                                                                                                                                                                            • String ID: )$\$cannot use operator[] with a string argument with
                                                                                                                                                                                            • API String ID: 1514166925-4288521057
                                                                                                                                                                                            • Opcode ID: 5ba642ec3cb0a91564e112746fcf88708c76d8ef936b5546a400d9f883f83e56
                                                                                                                                                                                            • Instruction ID: eca74086b4d8b65fd649f7a6fdb4489f28162b6af86d504ff607bc194230852c
                                                                                                                                                                                            • Opcode Fuzzy Hash: 5ba642ec3cb0a91564e112746fcf88708c76d8ef936b5546a400d9f883f83e56
                                                                                                                                                                                            • Instruction Fuzzy Hash: 3BF1BD70D04268DADB14DF64C955BDEBBB4BF15308F1481DEE44967282DBB81B88CF91
                                                                                                                                                                                            Uniqueness

                                                                                                                                                                                            Uniqueness Score: -1.00%

                                                                                                                                                                                            Function 004160B0 Relevance: 7.2, APIs: 3, Strings: 1, Instructions: 162processlibraryloaderCOMMON
                                                                                                                                                                                            Download Yara Rule
                                                                                                                                                                                            APIs
                                                                                                                                                                                            • GetModuleHandleA.KERNEL32(EE0D1B36,?), ref: 00416186
                                                                                                                                                                                            • GetProcAddress.KERNEL32(00000000,E11A0C3E), ref: 00416191
                                                                                                                                                                                            • CreateProcessA.KERNELBASE(00000000,?,00000000,00000000,00000000,00000000,00000000,00000000,00000044,?), ref: 004161E1
                                                                                                                                                                                            Strings
                                                                                                                                                                                            Memory Dump Source
                                                                                                                                                                                            • Source File: 00000000.00000002.2499170949.0000000000400000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                                                            Joe Sandbox IDA Plugin
                                                                                                                                                                                            • Snapshot File: hcaresult_0_2_400000_dendy.jbxd
                                                                                                                                                                                            Yara matches
                                                                                                                                                                                            Similarity
                                                                                                                                                                                            • API ID: AddressCreateHandleModuleProcProcess
                                                                                                                                                                                            • String ID: D
                                                                                                                                                                                            • API String ID: 3485509086-2746444292
                                                                                                                                                                                            • Opcode ID: 99a203e40770f878a1aa0ca9a985e095ed35557a0b55e641c53b98455d8fb0e2
                                                                                                                                                                                            • Instruction ID: ea7d779f1fc72c251558d129e53321ec91a959617f4191f212bf8088cf3ae0e6
                                                                                                                                                                                            • Opcode Fuzzy Hash: 99a203e40770f878a1aa0ca9a985e095ed35557a0b55e641c53b98455d8fb0e2
                                                                                                                                                                                            • Instruction Fuzzy Hash: 0151CF70A00218EFDB14CFA8CC85BEDBBB5FF44704F14419EE545AB292D778A946CB88
                                                                                                                                                                                            Uniqueness

                                                                                                                                                                                            Uniqueness Score: -1.00%

                                                                                                                                                                                            Function 004CB3C0 Relevance: 6.9, Strings: 4, Instructions: 1918COMMON
                                                                                                                                                                                            Download Yara Rule
                                                                                                                                                                                            Strings
                                                                                                                                                                                            • too many terms in compound SELECT, xrefs: 004CB666
                                                                                                                                                                                            • only a single result allowed for a SELECT that is part of an expression, xrefs: 004CB6AC
                                                                                                                                                                                            • min, xrefs: 004CCC6B
                                                                                                                                                                                            • max, xrefs: 004CCCCE
                                                                                                                                                                                            Memory Dump Source
                                                                                                                                                                                            • Source File: 00000000.00000002.2499170949.0000000000400000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                                                            Joe Sandbox IDA Plugin
                                                                                                                                                                                            • Snapshot File: hcaresult_0_2_400000_dendy.jbxd
                                                                                                                                                                                            Yara matches
                                                                                                                                                                                            Similarity
                                                                                                                                                                                            • API ID:
                                                                                                                                                                                            • String ID: max$min$only a single result allowed for a SELECT that is part of an expression$too many terms in compound SELECT
                                                                                                                                                                                            • API String ID: 0-2877691265
                                                                                                                                                                                            • Opcode ID: fbd03b09731f7fb73b0834140c81151357748eaef8a73ae9651058b7b71b28cb
                                                                                                                                                                                            • Instruction ID: c1929985df6c20adc65602af42118a6c04867d104e31f5cdb5b9dcf57f3213a0
                                                                                                                                                                                            • Opcode Fuzzy Hash: fbd03b09731f7fb73b0834140c81151357748eaef8a73ae9651058b7b71b28cb
                                                                                                                                                                                            • Instruction Fuzzy Hash: 881356746047418FD724DF19C090F2ABBE1FF85308F15896EE98A8B352DB79E845CB86
                                                                                                                                                                                            Uniqueness

                                                                                                                                                                                            Uniqueness Score: -1.00%

                                                                                                                                                                                            Function 00491D10 Relevance: 6.2, APIs: 4, Instructions: 152fileCOMMON
                                                                                                                                                                                            Download Yara Rule
                                                                                                                                                                                            APIs
                                                                                                                                                                                            • CreateFileW.KERNELBASE(00000000,C0000000,00000003,00000000,7FFFFFFD,?,00000000), ref: 00491D26
                                                                                                                                                                                            • CreateFileA.KERNEL32(?,?,00000003,00000000,?,?,00000000,89005445), ref: 00491D2E
                                                                                                                                                                                            • GetDiskFreeSpaceW.KERNELBASE(00000000,?,?,?,?), ref: 00491E5C
                                                                                                                                                                                            • GetDiskFreeSpaceA.KERNEL32(00000000,?,?,?,?), ref: 00491E92
                                                                                                                                                                                            Memory Dump Source
                                                                                                                                                                                            • Source File: 00000000.00000002.2499170949.0000000000400000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                                                            Joe Sandbox IDA Plugin
                                                                                                                                                                                            • Snapshot File: hcaresult_0_2_400000_dendy.jbxd
                                                                                                                                                                                            Yara matches
                                                                                                                                                                                            Similarity
                                                                                                                                                                                            • API ID: CreateDiskFileFreeSpace
                                                                                                                                                                                            • String ID:
                                                                                                                                                                                            • API String ID: 3321825543-0
                                                                                                                                                                                            • Opcode ID: 43ba0cbec80b2fa17c53ea0a5cf93c85ec04918b9e4dfa6bcad75a6e981aae53
                                                                                                                                                                                            • Instruction ID: 83f738b45ce3571a5b1a543967aa25571774c38b0d664623fa16f6a30307302f
                                                                                                                                                                                            • Opcode Fuzzy Hash: 43ba0cbec80b2fa17c53ea0a5cf93c85ec04918b9e4dfa6bcad75a6e981aae53
                                                                                                                                                                                            • Instruction Fuzzy Hash: DB4111716042029FDF21CF24D844BABBBE4EF80318F04467FF88582260E739D85ACB96
                                                                                                                                                                                            Uniqueness

                                                                                                                                                                                            Uniqueness Score: -1.00%

                                                                                                                                                                                            Function 004F636F Relevance: 5.7, APIs: 1, Strings: 2, Instructions: 408timeCOMMON
                                                                                                                                                                                            Download Yara Rule
                                                                                                                                                                                            APIs
                                                                                                                                                                                            • GetTimeZoneInformation.KERNELBASE(00000000,00000000,00000000,00000000,00000000,00000000,?,?,?,004F67B4,00000000,00000000,00000000), ref: 004F6673
                                                                                                                                                                                            Strings
                                                                                                                                                                                            Memory Dump Source
                                                                                                                                                                                            • Source File: 00000000.00000002.2499170949.0000000000400000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                                                            Joe Sandbox IDA Plugin
                                                                                                                                                                                            • Snapshot File: hcaresult_0_2_400000_dendy.jbxd
                                                                                                                                                                                            Yara matches
                                                                                                                                                                                            Similarity
                                                                                                                                                                                            • API ID: InformationTimeZone
                                                                                                                                                                                            • String ID: W. Europe Standard Time$W. Europe Summer Time
                                                                                                                                                                                            • API String ID: 565725191-690618308
                                                                                                                                                                                            • Opcode ID: 37dc3693d64b196c5e882212cddad6af1e0f65f0a5ddd334e881fb4f22ef6d2f
                                                                                                                                                                                            • Instruction ID: 9cad27d5f2b54b569fbe64af901152f9cd98cd860f96ba3425b9b03ecf62c301
                                                                                                                                                                                            • Opcode Fuzzy Hash: 37dc3693d64b196c5e882212cddad6af1e0f65f0a5ddd334e881fb4f22ef6d2f
                                                                                                                                                                                            • Instruction Fuzzy Hash: 91C12672D00119ABDB14BB65DC02ABF7BB9EF04758F11406BFA01EB295E7389E01D798
                                                                                                                                                                                            Uniqueness

                                                                                                                                                                                            Uniqueness Score: -1.00%

                                                                                                                                                                                            Function 00431430 Relevance: 5.5, Strings: 4, Instructions: 493COMMON
                                                                                                                                                                                            Download Yara Rule
                                                                                                                                                                                            Strings
                                                                                                                                                                                            Memory Dump Source
                                                                                                                                                                                            • Source File: 00000000.00000002.2499170949.0000000000400000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                                                            Joe Sandbox IDA Plugin
                                                                                                                                                                                            • Snapshot File: hcaresult_0_2_400000_dendy.jbxd
                                                                                                                                                                                            Yara matches
                                                                                                                                                                                            Similarity
                                                                                                                                                                                            • API ID: __fread_nolock
                                                                                                                                                                                            • String ID: ($-$-$n:
                                                                                                                                                                                            • API String ID: 2638373210-3670314114
                                                                                                                                                                                            • Opcode ID: a881d8337272d300521ef66c90245c2cdd44f7d6a9f480f86602a872ce190f3b
                                                                                                                                                                                            • Instruction ID: ced5246b7ec2e2c7fa38917ff900392c96e66467ce63cf60e7d8a94b01cea5ec
                                                                                                                                                                                            • Opcode Fuzzy Hash: a881d8337272d300521ef66c90245c2cdd44f7d6a9f480f86602a872ce190f3b
                                                                                                                                                                                            • Instruction Fuzzy Hash: 9622E170D00288DFCF14DFA8C9597EDBBB0AF15308F14819ED445AB382EBB85A48DB95
                                                                                                                                                                                            Uniqueness

                                                                                                                                                                                            Uniqueness Score: -1.00%

                                                                                                                                                                                            Function 0041F3EB Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 34encryptionCOMMON
                                                                                                                                                                                            Download Yara Rule
                                                                                                                                                                                            APIs
                                                                                                                                                                                            • CryptUnprotectData.CRYPT32(00000000,00000000,00000000,00000000,00000000,00000000,000000FF), ref: 0041F3E5
                                                                                                                                                                                            • LocalFree.KERNEL32(?), ref: 0041F414
                                                                                                                                                                                            Strings
                                                                                                                                                                                            Memory Dump Source
                                                                                                                                                                                            • Source File: 00000000.00000002.2499170949.0000000000400000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                                                            Joe Sandbox IDA Plugin
                                                                                                                                                                                            • Snapshot File: hcaresult_0_2_400000_dendy.jbxd
                                                                                                                                                                                            Yara matches
                                                                                                                                                                                            Similarity
                                                                                                                                                                                            • API ID: CryptDataFreeLocalUnprotect
                                                                                                                                                                                            • String ID: jjjj
                                                                                                                                                                                            • API String ID: 1561624719-48926182
                                                                                                                                                                                            • Opcode ID: aa4404672b2df8b18a26a615dff9fcff1f65acf6459e9ad9dae77a66ff4ba265
                                                                                                                                                                                            • Instruction ID: 409469ce869bb278a755ece448acb5b2db033f64c44fe4e4698fcece5c69adc3
                                                                                                                                                                                            • Opcode Fuzzy Hash: aa4404672b2df8b18a26a615dff9fcff1f65acf6459e9ad9dae77a66ff4ba265
                                                                                                                                                                                            • Instruction Fuzzy Hash: DDF0A7B2C4011896DF109BA49C01BEFB765FB54721F004037DC59A3340EB3948898ADA
                                                                                                                                                                                            Uniqueness

                                                                                                                                                                                            Uniqueness Score: -1.00%

                                                                                                                                                                                            Function 004DB1CB Relevance: 4.5, APIs: 3, Instructions: 35COMMON
                                                                                                                                                                                            Download Yara Rule
                                                                                                                                                                                            APIs
                                                                                                                                                                                            • FindClose.KERNEL32(000000FF,?,0046BEC7,?,00000000,?,00473681,?,00000000), ref: 004DB1D7
                                                                                                                                                                                            • FindFirstFileExW.KERNELBASE(000000FF,00000001,?,00000000,00000000,00000000,?,?,?,0046BEC7,?,00000000,?,00473681,?,00000000), ref: 004DB206
                                                                                                                                                                                            • GetLastError.KERNEL32(?,0046BEC7,?,00000000,?,00473681,?,00000000), ref: 004DB218
                                                                                                                                                                                            Memory Dump Source
                                                                                                                                                                                            • Source File: 00000000.00000002.2499170949.0000000000400000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                                                            Joe Sandbox IDA Plugin
                                                                                                                                                                                            • Snapshot File: hcaresult_0_2_400000_dendy.jbxd
                                                                                                                                                                                            Yara matches
                                                                                                                                                                                            Similarity
                                                                                                                                                                                            • API ID: Find$CloseErrorFileFirstLast
                                                                                                                                                                                            • String ID:
                                                                                                                                                                                            • API String ID: 4020440971-0
                                                                                                                                                                                            • Opcode ID: f1d414bdb1a830b9c19e1c1a91ab6db378ddacdc0024ae8e2650c4f043538abd
                                                                                                                                                                                            • Instruction ID: 8aa795b071709f9ad919938827d4aff15d16b66e82d9f8c16838a8eaa28f277c
                                                                                                                                                                                            • Opcode Fuzzy Hash: f1d414bdb1a830b9c19e1c1a91ab6db378ddacdc0024ae8e2650c4f043538abd
                                                                                                                                                                                            • Instruction Fuzzy Hash: D9F05431000508FFDB111FA5DC189AF7B9CEF143B0B108627BD68C56A0D73199A296E4
                                                                                                                                                                                            Uniqueness

                                                                                                                                                                                            Uniqueness Score: -1.00%

                                                                                                                                                                                            Function 00496450 Relevance: 2.0, APIs: 1, Instructions: 471COMMON
                                                                                                                                                                                            Download Yara Rule
                                                                                                                                                                                            Memory Dump Source
                                                                                                                                                                                            • Source File: 00000000.00000002.2499170949.0000000000400000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                                                            Joe Sandbox IDA Plugin
                                                                                                                                                                                            • Snapshot File: hcaresult_0_2_400000_dendy.jbxd
                                                                                                                                                                                            Yara matches
                                                                                                                                                                                            Similarity
                                                                                                                                                                                            • API ID:
                                                                                                                                                                                            • String ID:
                                                                                                                                                                                            • API String ID:
                                                                                                                                                                                            • Opcode ID: f47df8a979cf4f857dc537b9ef44913b95696ce48800f52ac5a31c4eb421a18d
                                                                                                                                                                                            • Instruction ID: e16f3952025df4b57fbfa53020dcabc30b9a59b88706b4710c7fb5b6fa6fa324
                                                                                                                                                                                            • Opcode Fuzzy Hash: f47df8a979cf4f857dc537b9ef44913b95696ce48800f52ac5a31c4eb421a18d
                                                                                                                                                                                            • Instruction Fuzzy Hash: D4028EB06047019FDB64CF29C840B27BBE0AF89314F15493EE48AC7751DB78E949CB5A
                                                                                                                                                                                            Uniqueness

                                                                                                                                                                                            Uniqueness Score: -1.00%

                                                                                                                                                                                            Function 00491C30 Relevance: 1.6, APIs: 1, Instructions: 110fileCOMMON
                                                                                                                                                                                            Download Yara Rule
                                                                                                                                                                                            APIs
                                                                                                                                                                                            • CreateFileW.KERNELBASE(00000000,C0000000,00000003,00000000,7FFFFFFD,?,00000000), ref: 00491D26
                                                                                                                                                                                            Memory Dump Source
                                                                                                                                                                                            • Source File: 00000000.00000002.2499170949.0000000000400000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                                                            Joe Sandbox IDA Plugin
                                                                                                                                                                                            • Snapshot File: hcaresult_0_2_400000_dendy.jbxd
                                                                                                                                                                                            Yara matches
                                                                                                                                                                                            Similarity
                                                                                                                                                                                            • API ID: CreateFile
                                                                                                                                                                                            • String ID:
                                                                                                                                                                                            • API String ID: 823142352-0
                                                                                                                                                                                            • Opcode ID: d5e735c4d325f6863c4bbb0d8d2f27c6b16101442465d86a64dd5004bcde936b
                                                                                                                                                                                            • Instruction ID: ea3f12589498c6031ede0a0e63da1aa6e190ef39183c8d3f3956d1ebbf566a56
                                                                                                                                                                                            • Opcode Fuzzy Hash: d5e735c4d325f6863c4bbb0d8d2f27c6b16101442465d86a64dd5004bcde936b
                                                                                                                                                                                            • Instruction Fuzzy Hash: D531BF716043069BDB10CF29D845B9BBBE5EBC4364F144A3EF858833A0E339D905CB96
                                                                                                                                                                                            Uniqueness

                                                                                                                                                                                            Uniqueness Score: -1.00%

                                                                                                                                                                                            Function 004E925D Relevance: 1.6, Strings: 1, Instructions: 318COMMON
                                                                                                                                                                                            Download Yara Rule
                                                                                                                                                                                            Strings
                                                                                                                                                                                            Memory Dump Source
                                                                                                                                                                                            • Source File: 00000000.00000002.2499170949.0000000000400000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                                                            Joe Sandbox IDA Plugin
                                                                                                                                                                                            • Snapshot File: hcaresult_0_2_400000_dendy.jbxd
                                                                                                                                                                                            Yara matches
                                                                                                                                                                                            Similarity
                                                                                                                                                                                            • API ID:
                                                                                                                                                                                            • String ID: 0
                                                                                                                                                                                            • API String ID: 0-4108050209
                                                                                                                                                                                            • Opcode ID: 79f90e00dc77957be7610ff531ea09f8d3cb8def4dcd7f8d4dea2ba9a82dffaa
                                                                                                                                                                                            • Instruction ID: b0f2f4a4c71a32763588803a0d4209da0bfab023c608772363e77a77a94ad2d5
                                                                                                                                                                                            • Opcode Fuzzy Hash: 79f90e00dc77957be7610ff531ea09f8d3cb8def4dcd7f8d4dea2ba9a82dffaa
                                                                                                                                                                                            • Instruction Fuzzy Hash: 30B1E17190468A9BCB35CF6BC4956BFB7A1AF08306F140A1FD992973C1C739AD02CB59
                                                                                                                                                                                            Uniqueness

                                                                                                                                                                                            Uniqueness Score: -1.00%

                                                                                                                                                                                            Function 0048C560 Relevance: .7, Instructions: 663COMMON
                                                                                                                                                                                            Download Yara Rule
                                                                                                                                                                                            Memory Dump Source
                                                                                                                                                                                            • Source File: 00000000.00000002.2499170949.0000000000400000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                                                            Joe Sandbox IDA Plugin
                                                                                                                                                                                            • Snapshot File: hcaresult_0_2_400000_dendy.jbxd
                                                                                                                                                                                            Yara matches
                                                                                                                                                                                            Similarity
                                                                                                                                                                                            • API ID:
                                                                                                                                                                                            • String ID:
                                                                                                                                                                                            • API String ID:
                                                                                                                                                                                            • Opcode ID: aead1b18fa6655e2046488e2d56f3586447149cbf6bdb60b8fae25e10e23de9f
                                                                                                                                                                                            • Instruction ID: d460b15ecaef89ee619ee12d19a6560aac0686608ff237d971a34b1c2572f41b
                                                                                                                                                                                            • Opcode Fuzzy Hash: aead1b18fa6655e2046488e2d56f3586447149cbf6bdb60b8fae25e10e23de9f
                                                                                                                                                                                            • Instruction Fuzzy Hash: 4342B070A006458FDB14EE78C8807AEFBA1FF45310F148A6ED4A5E7781D738E54ACBA5
                                                                                                                                                                                            Uniqueness

                                                                                                                                                                                            Uniqueness Score: -1.00%

                                                                                                                                                                                            Function 0048D250 Relevance: .3, Instructions: 294COMMON
                                                                                                                                                                                            Download Yara Rule
                                                                                                                                                                                            Memory Dump Source
                                                                                                                                                                                            • Source File: 00000000.00000002.2499170949.0000000000400000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                                                            Joe Sandbox IDA Plugin
                                                                                                                                                                                            • Snapshot File: hcaresult_0_2_400000_dendy.jbxd
                                                                                                                                                                                            Yara matches
                                                                                                                                                                                            Similarity
                                                                                                                                                                                            • API ID:
                                                                                                                                                                                            • String ID:
                                                                                                                                                                                            • API String ID:
                                                                                                                                                                                            • Opcode ID: 0702e79ebe35d7f2eab4924e86644c543a8bfec9af84c7524f60a6a2cffea22b
                                                                                                                                                                                            • Instruction ID: 0f76039a442bb9952bef901009f789ffb67366a02fe10e258d8ab1312df69022
                                                                                                                                                                                            • Opcode Fuzzy Hash: 0702e79ebe35d7f2eab4924e86644c543a8bfec9af84c7524f60a6a2cffea22b
                                                                                                                                                                                            • Instruction Fuzzy Hash: C2B19F71A057019FC720EE69C840A5BB7E1EF88324F144F2EF8AAD3790D778E9458B56
                                                                                                                                                                                            Uniqueness

                                                                                                                                                                                            Uniqueness Score: -1.00%

                                                                                                                                                                                            Function 00442BC0 Relevance: 86.9, APIs: 40, Strings: 8, Instructions: 2868fileCOMMON
                                                                                                                                                                                            Download Yara Rule
                                                                                                                                                                                            APIs
                                                                                                                                                                                            • CreateDirectoryA.KERNELBASE(00000000,00000000,00000000), ref: 00442C53
                                                                                                                                                                                            • CreateDirectoryA.KERNELBASE(00000000,00000000), ref: 00442CAF
                                                                                                                                                                                            • CopyFileA.KERNEL32(00000000,00000000,00000000), ref: 004434EF
                                                                                                                                                                                            • CopyFileA.KERNEL32(00000000,00000000,00000000), ref: 00443639
                                                                                                                                                                                            • CopyFileA.KERNEL32(00000000,00000000,00000000), ref: 0044337F
                                                                                                                                                                                              • Part of subcall function 0040E7B0: FindFirstFileA.KERNEL32(00000000,AA515422,?,AA515421,00445E27,00000000,AA515421,AA515422,74DF3100,?), ref: 0040E929
                                                                                                                                                                                            • SHGetFolderPathA.SHELL32(00000000,0000001A,00000000,00000000,?), ref: 00442CE0
                                                                                                                                                                                              • Part of subcall function 0040B1A0: GetFileAttributesA.KERNELBASE(00000000,?,?,0045E8D7,00000000,00000000,?,00000000), ref: 0040B1FC
                                                                                                                                                                                              • Part of subcall function 0040B1A0: GetLastError.KERNEL32(?,0045E8D7,00000000,00000000,?,00000000), ref: 0040B207
                                                                                                                                                                                            • CreateDirectoryA.KERNELBASE(00000000,00000000), ref: 00442E08
                                                                                                                                                                                            • SHGetFolderPathA.SHELL32(00000000,0000001A,00000000,00000000,?), ref: 00442E37
                                                                                                                                                                                            • CopyFileA.KERNEL32(00000000,00000000,00000000), ref: 00442F2F
                                                                                                                                                                                            • CreateDirectoryA.KERNELBASE(00000000,00000000), ref: 00443029
                                                                                                                                                                                            • CreateDirectoryA.KERNELBASE(00000000,00000000), ref: 00443087
                                                                                                                                                                                            • CopyFileA.KERNEL32(00000000,00000000,00000000), ref: 004431B8
                                                                                                                                                                                            • CreateDirectoryA.KERNELBASE(00000000,00000000), ref: 0044324A
                                                                                                                                                                                            Strings
                                                                                                                                                                                            Memory Dump Source
                                                                                                                                                                                            • Source File: 00000000.00000002.2499170949.0000000000400000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                                                            Joe Sandbox IDA Plugin
                                                                                                                                                                                            • Snapshot File: hcaresult_0_2_400000_dendy.jbxd
                                                                                                                                                                                            Yara matches
                                                                                                                                                                                            Similarity
                                                                                                                                                                                            • API ID: File$CreateDirectory$Copy$FolderPath$AttributesErrorFindFirstLast
                                                                                                                                                                                            • String ID: !$!$!$!*3$!2$!9$+$_
                                                                                                                                                                                            • API String ID: 3765264142-3231385310
                                                                                                                                                                                            • Opcode ID: c97c785990be2afd87e065f286dab4b84683a59cb7c9f88ae3acebcfe4532174
                                                                                                                                                                                            • Instruction ID: 1ea3575fd4b082580b03a57aa614fe65a7d59f87011cefd104f53cc2a58c0b7a
                                                                                                                                                                                            • Opcode Fuzzy Hash: c97c785990be2afd87e065f286dab4b84683a59cb7c9f88ae3acebcfe4532174
                                                                                                                                                                                            • Instruction Fuzzy Hash: A0538D70C04298DADB21EB65CD557DEBB74AF21308F4441EAD449772C2EBB81B88CF96
                                                                                                                                                                                            Uniqueness

                                                                                                                                                                                            Uniqueness Score: -1.00%

                                                                                                                                                                                            Function 00474AC0 Relevance: 37.6, APIs: 16, Strings: 5, Instructions: 890COMMON
                                                                                                                                                                                            Download Yara Rule

                                                                                                                                                                                            Control-flow Graph

                                                                                                                                                                                            • Executed
                                                                                                                                                                                            • Not Executed
                                                                                                                                                                                            control_flow_graph 5529 474ac0-474b24 5530 474b27-474b2e 5529->5530 5531 474b34 5530->5531 5532 475752-475831 call 46dec0 call 408130 call 46e550 call 4758e0 call 402af0 ___std_exception_destroy * 2 5530->5532 5533 474c94-474c9a 5531->5533 5534 474dd1-474ddc call 478c10 5531->5534 5535 474c80-474c8f call 479320 5531->5535 5536 474daf-474dcf call 479180 5531->5536 5537 474d9e-474dad call 479320 5531->5537 5538 474dde-474dfb call 478fe0 5531->5538 5539 474c3c-474c5d call 4e2a67 5531->5539 5540 474b3b-474b55 call 478a70 5531->5540 5541 474bda-474bf4 call 478a70 5531->5541 5640 475839-475840 call 4dcb23 5532->5640 5552 474cfc-474d02 5533->5552 5553 474c9c-474cf7 call 467210 call 466ee0 5533->5553 5567 474e00-474e08 5534->5567 5535->5567 5536->5567 5537->5567 5538->5567 5572 475137-4751a5 call 46e550 call 469f00 call 469dd0 call 408970 call 46e550 5539->5572 5573 474c63-474c7b call 478e20 5539->5573 5568 474b57-474b5d 5540->5568 5569 474b5f-474b67 call 472c00 5540->5569 5574 474bf6-474bfc 5541->5574 5575 474bfe-474c06 call 472c00 5541->5575 5556 474d04-474d10 5552->5556 5557 474d43-474d9c call 467210 call 466ee0 5552->5557 5553->5567 5570 474d35-474d3e call 47f0a0 5556->5570 5571 474d12-474d30 call 467210 5556->5571 5557->5567 5587 475662-475666 5567->5587 5588 474e0e-474e6d call 470650 * 2 5567->5588 5579 474b6c-474b7a call 46ede0 5568->5579 5569->5579 5570->5567 5571->5567 5664 475881-47589a call 4768c0 call 4de42b 5572->5664 5665 4751ab-47520c call 402af0 ___std_exception_destroy * 2 5572->5665 5573->5567 5585 474c0b-474c19 call 46ede0 5574->5585 5575->5585 5614 474b85-474b88 5579->5614 5615 474b7c-474b80 5579->5615 5610 474c24-474c37 call 46f190 5585->5610 5611 474c1b-474c1f 5585->5611 5593 475855-475879 call 462340 5587->5593 5624 474e6f-474e7a call 46ede0 5588->5624 5625 474e9d-474ea8 call 46ede0 5588->5625 5610->5530 5611->5567 5620 474b8e-474bb1 call 4673c0 call 46ede0 5614->5620 5621 475049-47512f call 46dec0 call 408130 call 46e550 call 4758e0 call 402af0 ___std_exception_destroy * 2 5614->5621 5615->5567 5649 474bb7-474bc5 call 46f190 5620->5649 5650 474f14-475003 call 402f50 call 46dec0 call 408130 call 46e550 call 4758e0 call 402af0 ___std_exception_destroy * 2 5620->5650 5621->5572 5644 474e80-474e83 5624->5644 5645 474bca-474bd5 call 46ede0 5624->5645 5647 474ec7-474ed5 call 46ede0 5625->5647 5648 474eaa-474ead 5625->5648 5669 475843-47584e 5640->5669 5653 4752aa-475389 call 46dec0 call 408130 call 46e550 call 4758e0 call 402af0 ___std_exception_destroy * 2 5644->5653 5654 474e89-474e98 call 4764b0 5644->5654 5645->5530 5676 475574-47565a call 46dec0 call 408130 call 46e550 call 4758e0 call 402af0 ___std_exception_destroy * 2 5647->5676 5677 474edb-474efe call 4673c0 call 46ede0 5647->5677 5655 474eb3-474ec2 call 4764b0 5648->5655 5656 475391-475475 call 46dec0 call 408130 call 46e550 call 4758e0 call 402af0 ___std_exception_destroy * 2 5648->5656 5649->5645 5751 475009-475018 call 402af0 5650->5751 5653->5656 5654->5567 5655->5567 5656->5751 5692 47520e-47521a 5665->5692 5693 47523a-475256 5665->5693 5669->5593 5676->5587 5724 474f04-474f07 call 46ede0 5677->5724 5725 47547a-47556c call 402f50 call 46dec0 call 408130 call 46e550 call 4758e0 call 402af0 ___std_exception_destroy * 2 5677->5725 5704 475230-475237 call 4dcb23 5692->5704 5705 47521c-47522a 5692->5705 5707 475284-4752a5 call 402af0 5693->5707 5708 475258-475264 5693->5708 5704->5693 5705->5704 5712 47587c call 4e1ea0 5705->5712 5707->5593 5714 475266-475274 5708->5714 5715 47527a-475281 call 4dcb23 5708->5715 5712->5664 5714->5712 5714->5715 5715->5707 5739 474f0c-474f0f 5724->5739 5725->5676 5739->5530 5751->5669 5758 47501e-47502a 5751->5758 5758->5640 5761 475030-47503e 5758->5761 5761->5712 5762 475044 5761->5762 5762->5640
                                                                                                                                                                                            APIs
                                                                                                                                                                                            • ___std_exception_destroy.LIBVCRUNTIME ref: 00474FE3
                                                                                                                                                                                            • ___std_exception_destroy.LIBVCRUNTIME ref: 00474FF7
                                                                                                                                                                                            • ___std_exception_destroy.LIBVCRUNTIME ref: 0047510F
                                                                                                                                                                                            • ___std_exception_destroy.LIBVCRUNTIME ref: 00475123
                                                                                                                                                                                            • ___std_exception_destroy.LIBVCRUNTIME ref: 004751E0
                                                                                                                                                                                            • ___std_exception_destroy.LIBVCRUNTIME ref: 004751FA
                                                                                                                                                                                            • ___std_exception_destroy.LIBVCRUNTIME ref: 00475369
                                                                                                                                                                                            • ___std_exception_destroy.LIBVCRUNTIME ref: 0047537D
                                                                                                                                                                                            • ___std_exception_destroy.LIBVCRUNTIME ref: 00475452
                                                                                                                                                                                            • ___std_exception_destroy.LIBVCRUNTIME ref: 00475466
                                                                                                                                                                                            • ___std_exception_destroy.LIBVCRUNTIME ref: 0047554C
                                                                                                                                                                                            • ___std_exception_destroy.LIBVCRUNTIME ref: 00475560
                                                                                                                                                                                            • ___std_exception_destroy.LIBVCRUNTIME ref: 00475811
                                                                                                                                                                                            • ___std_exception_destroy.LIBVCRUNTIME ref: 00475825
                                                                                                                                                                                            Strings
                                                                                                                                                                                            Memory Dump Source
                                                                                                                                                                                            • Source File: 00000000.00000002.2499170949.0000000000400000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                                                            Joe Sandbox IDA Plugin
                                                                                                                                                                                            • Snapshot File: hcaresult_0_2_400000_dendy.jbxd
                                                                                                                                                                                            Yara matches
                                                                                                                                                                                            Similarity
                                                                                                                                                                                            • API ID: ___std_exception_destroy
                                                                                                                                                                                            • String ID: O$array$number overflow parsing '$object$value
                                                                                                                                                                                            • API String ID: 4194217158-306733086
                                                                                                                                                                                            • Opcode ID: 8699a4883028f2283cf753ee7145cf49f00b0654cf6daf8d0f6dfe83358f178b
                                                                                                                                                                                            • Instruction ID: 2b8bbb5fb6bef53096142a6844d47d0bb0a5a7ac0895a6da9de1fd59fd81eee6
                                                                                                                                                                                            • Opcode Fuzzy Hash: 8699a4883028f2283cf753ee7145cf49f00b0654cf6daf8d0f6dfe83358f178b
                                                                                                                                                                                            • Instruction Fuzzy Hash: 4192A170C00248DEDB10DFA4C944BEEBFB5BF55304F14859ED459BB282E7786A48CBA6
                                                                                                                                                                                            Uniqueness

                                                                                                                                                                                            Uniqueness Score: -1.00%

                                                                                                                                                                                            Function 0040CAC0 Relevance: 12.4, APIs: 6, Strings: 1, Instructions: 171registryCOMMON
                                                                                                                                                                                            Download Yara Rule

                                                                                                                                                                                            Control-flow Graph

                                                                                                                                                                                            • Executed
                                                                                                                                                                                            • Not Executed
                                                                                                                                                                                            control_flow_graph 17967 40cac0-40cb59 call 4debe0 17970 40cb60-40cb6b 17967->17970 17970->17970 17971 40cb6d-40cb9b 17970->17971 17972 40cba0-40cbab 17971->17972 17972->17972 17973 40cbad-40cbda RegGetValueA 17972->17973 17974 40cc08-40cc0c 17973->17974 17975 40cbdc-40cbeb 17973->17975 17977 40cc12-40cc44 call 4debe0 GetComputerNameExA 17974->17977 17978 40cd0a-40cd1a 17974->17978 17976 40cbf0-40cbf5 17975->17976 17976->17976 17979 40cbf7-40cc03 call 465330 17976->17979 17983 40cc46-40cc4f 17977->17983 17984 40cc68-40cc6c 17977->17984 17979->17974 17985 40cc50-40cc55 17983->17985 17984->17978 17986 40cc72-40cc9d call 4debe0 LsaOpenPolicy 17984->17986 17985->17985 17987 40cc57-40cc63 call 465330 17985->17987 17991 40cce5-40ccef 17986->17991 17992 40cc9f-40ccb0 LsaQueryInformationPolicy 17986->17992 17987->17984 17993 40ccf2-40ccf7 17991->17993 17994 40ccb2-40ccb9 17992->17994 17995 40ccdc-40ccdf LsaClose 17992->17995 17993->17993 17996 40ccf9-40cd05 call 465330 17993->17996 17997 40ccbb 17994->17997 17998 40ccbe-40ccd6 call 403080 LsaFreeMemory 17994->17998 17995->17991 17996->17978 17997->17998 17998->17995
                                                                                                                                                                                            APIs
                                                                                                                                                                                            • RegGetValueA.KERNELBASE(80000002,?,E1121139,0001FFFF,00000001,?,00000104), ref: 0040CBD2
                                                                                                                                                                                            • GetComputerNameExA.KERNELBASE(00000002,?,00000104), ref: 0040CC3C
                                                                                                                                                                                            • LsaOpenPolicy.ADVAPI32(00000000,0054267C,00000001,00000000), ref: 0040CC95
                                                                                                                                                                                            • LsaQueryInformationPolicy.ADVAPI32(00000000,0000000C,?), ref: 0040CCA8
                                                                                                                                                                                            • LsaFreeMemory.ADVAPI32(?), ref: 0040CCD6
                                                                                                                                                                                            • LsaClose.ADVAPI32(00000000), ref: 0040CCDF
                                                                                                                                                                                            Strings
                                                                                                                                                                                            Memory Dump Source
                                                                                                                                                                                            • Source File: 00000000.00000002.2499170949.0000000000400000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                                                            Joe Sandbox IDA Plugin
                                                                                                                                                                                            • Snapshot File: hcaresult_0_2_400000_dendy.jbxd
                                                                                                                                                                                            Yara matches
                                                                                                                                                                                            Similarity
                                                                                                                                                                                            • API ID: Policy$CloseComputerFreeInformationMemoryNameOpenQueryValue
                                                                                                                                                                                            • String ID: %wZ
                                                                                                                                                                                            • API String ID: 762890658-705104578
                                                                                                                                                                                            • Opcode ID: 166a9ff142172029c0040eea49c4842755af3bf5647daa4c554d03e8e1780dd8
                                                                                                                                                                                            • Instruction ID: ed953d859019ede538f053c97b4c3f4d0f04af77b925e9ea28d8cfb3e11cd022
                                                                                                                                                                                            • Opcode Fuzzy Hash: 166a9ff142172029c0040eea49c4842755af3bf5647daa4c554d03e8e1780dd8
                                                                                                                                                                                            • Instruction Fuzzy Hash: A4615871800308DBEB11CFA4DC49BEEBBB8FF09708F0042AEE545B6181E7B55689CB94
                                                                                                                                                                                            Uniqueness

                                                                                                                                                                                            Uniqueness Score: -1.00%

                                                                                                                                                                                            Function 0040B1A0 Relevance: 12.3, APIs: 4, Strings: 3, Instructions: 75COMMON
                                                                                                                                                                                            Download Yara Rule
                                                                                                                                                                                            APIs
                                                                                                                                                                                            • GetFileAttributesA.KERNELBASE(00000000,?,?,0045E8D7,00000000,00000000,?,00000000), ref: 0040B1FC
                                                                                                                                                                                            • GetLastError.KERNEL32(?,0045E8D7,00000000,00000000,?,00000000), ref: 0040B207
                                                                                                                                                                                            • std::_Throw_Cpp_error.LIBCPMT ref: 0040B24F
                                                                                                                                                                                            • std::_Throw_Cpp_error.LIBCPMT ref: 0040B260
                                                                                                                                                                                            Strings
                                                                                                                                                                                            Memory Dump Source
                                                                                                                                                                                            • Source File: 00000000.00000002.2499170949.0000000000400000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                                                            Joe Sandbox IDA Plugin
                                                                                                                                                                                            • Snapshot File: hcaresult_0_2_400000_dendy.jbxd
                                                                                                                                                                                            Yara matches
                                                                                                                                                                                            Similarity
                                                                                                                                                                                            • API ID: Cpp_errorThrow_std::_$AttributesErrorFileLast
                                                                                                                                                                                            • String ID: \*.*$DT$DT
                                                                                                                                                                                            • API String ID: 995686243-3062393244
                                                                                                                                                                                            • Opcode ID: 7c93be0e39bac07192ae234e4444476cb8469c1607e3cac452f8ce700f80683a
                                                                                                                                                                                            • Instruction ID: 98fd9ba19aa43d818a037ed0b56ad2d2959cead2aa0cd36f25e414e829a489f2
                                                                                                                                                                                            • Opcode Fuzzy Hash: 7c93be0e39bac07192ae234e4444476cb8469c1607e3cac452f8ce700f80683a
                                                                                                                                                                                            • Instruction Fuzzy Hash: 65110371940600E7CB205BA8A809BBE3654E713728F2087BFD425B77D0D73989048ADE
                                                                                                                                                                                            Uniqueness

                                                                                                                                                                                            Uniqueness Score: -1.00%

                                                                                                                                                                                            Function 0041D430 Relevance: 12.1, APIs: 8, Instructions: 92networkCOMMON
                                                                                                                                                                                            Download Yara Rule
                                                                                                                                                                                            APIs
                                                                                                                                                                                            • WSAStartup.WS2_32 ref: 0041D45A
                                                                                                                                                                                            • getaddrinfo.WS2_32(?,?,?,00544318), ref: 0041D4DC
                                                                                                                                                                                            • socket.WS2_32(?,?,?), ref: 0041D4FD
                                                                                                                                                                                            • connect.WS2_32(00000000,?,?), ref: 0041D511
                                                                                                                                                                                            • closesocket.WS2_32(00000000), ref: 0041D51D
                                                                                                                                                                                            • freeaddrinfo.WS2_32(?,?,?,?,00544318,?,?), ref: 0041D52A
                                                                                                                                                                                            • WSACleanup.WS2_32 ref: 0041D530
                                                                                                                                                                                            • freeaddrinfo.WS2_32(?,?,?,?,00544318,?,?), ref: 0041D545
                                                                                                                                                                                            Memory Dump Source
                                                                                                                                                                                            • Source File: 00000000.00000002.2499170949.0000000000400000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                                                            Joe Sandbox IDA Plugin
                                                                                                                                                                                            • Snapshot File: hcaresult_0_2_400000_dendy.jbxd
                                                                                                                                                                                            Yara matches
                                                                                                                                                                                            Similarity
                                                                                                                                                                                            • API ID: freeaddrinfo$CleanupStartupclosesocketconnectgetaddrinfosocket
                                                                                                                                                                                            • String ID:
                                                                                                                                                                                            • API String ID: 58224237-0
                                                                                                                                                                                            • Opcode ID: 9e175c3fb731f2d83ed7f833e896eca511ac56fc806b49c65e091bf6ddb77191
                                                                                                                                                                                            • Instruction ID: 10aaa8cdc1ea530b3675de8615b35e11d712a8cdb30829ada3d8eaee2944026b
                                                                                                                                                                                            • Opcode Fuzzy Hash: 9e175c3fb731f2d83ed7f833e896eca511ac56fc806b49c65e091bf6ddb77191
                                                                                                                                                                                            • Instruction Fuzzy Hash: 4B31C572904710AFC7209F25DC446ABB7E5BFD4768F144B1EF874972E0E374A8488A96
                                                                                                                                                                                            Uniqueness

                                                                                                                                                                                            Uniqueness Score: -1.00%

                                                                                                                                                                                            Function 004103C0 Relevance: 11.2, APIs: 2, Strings: 4, Instructions: 746COMMON
                                                                                                                                                                                            Download Yara Rule
                                                                                                                                                                                            APIs
                                                                                                                                                                                            • SHGetFolderPathA.SHELL32(00000000,0000001A,00000000,00000000,?,?,0000005C), ref: 00410419
                                                                                                                                                                                            • SHGetFolderPathA.SHELL32(00000000,0000001C,00000000,00000000,?), ref: 00410440
                                                                                                                                                                                            Strings
                                                                                                                                                                                            Memory Dump Source
                                                                                                                                                                                            • Source File: 00000000.00000002.2499170949.0000000000400000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                                                            Joe Sandbox IDA Plugin
                                                                                                                                                                                            • Snapshot File: hcaresult_0_2_400000_dendy.jbxd
                                                                                                                                                                                            Yara matches
                                                                                                                                                                                            Similarity
                                                                                                                                                                                            • API ID: FolderPath
                                                                                                                                                                                            • String ID: !9$!?$\$z
                                                                                                                                                                                            • API String ID: 1514166925-421792958
                                                                                                                                                                                            • Opcode ID: 4d2ebbe7fbb90f0baa02c41ac1f397a3c42292e9a9788ddd62f773cd65c9a97e
                                                                                                                                                                                            • Instruction ID: 33bcead3f6425d6fe5e8ee5dd770ddedfc453baf21d0c58b111339a848723dbc
                                                                                                                                                                                            • Opcode Fuzzy Hash: 4d2ebbe7fbb90f0baa02c41ac1f397a3c42292e9a9788ddd62f773cd65c9a97e
                                                                                                                                                                                            • Instruction Fuzzy Hash: CF72DE70C0029D9ACF25DB64CD557EDBB74AF11308F0442EAD04977292EBB82B89CF96
                                                                                                                                                                                            Uniqueness

                                                                                                                                                                                            Uniqueness Score: -1.00%

                                                                                                                                                                                            Function 0041D840 Relevance: 11.2, APIs: 4, Strings: 2, Instructions: 713libraryloadernetworkCOMMON
                                                                                                                                                                                            Download Yara Rule
                                                                                                                                                                                            APIs
                                                                                                                                                                                            • GetModuleHandleA.KERNEL32(Ws2_32.dll,?,?,?,?,?,00000000,00000000,00000000), ref: 0041DBB6
                                                                                                                                                                                            • GetProcAddress.KERNEL32(00000000,D33E2D2A), ref: 0041DBC1
                                                                                                                                                                                            • WSASend.WS2_32(?,?,00000001,00000000,00000000,00000000,00000000,?,?,?,?,?,00000000,00000000,00000000), ref: 0041DBD6
                                                                                                                                                                                            • GetCurrentProcess.KERNEL32(00000000,?,?,?,00000000,00000000,00000000), ref: 0041DEDC
                                                                                                                                                                                            Strings
                                                                                                                                                                                            Memory Dump Source
                                                                                                                                                                                            • Source File: 00000000.00000002.2499170949.0000000000400000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                                                            Joe Sandbox IDA Plugin
                                                                                                                                                                                            • Snapshot File: hcaresult_0_2_400000_dendy.jbxd
                                                                                                                                                                                            Yara matches
                                                                                                                                                                                            Similarity
                                                                                                                                                                                            • API ID: AddressCurrentHandleModuleProcProcessSend
                                                                                                                                                                                            • String ID: !$Ws2_32.dll
                                                                                                                                                                                            • API String ID: 3060695839-2514955806
                                                                                                                                                                                            • Opcode ID: 654a071ebcfca27028d8c8b3186257bf75a61a552ec29776b5d4993f54e7b2ee
                                                                                                                                                                                            • Instruction ID: 01333148d2ba12cff5aab798363fe08ebaf14db0bfb04055ccee031f61c34342
                                                                                                                                                                                            • Opcode Fuzzy Hash: 654a071ebcfca27028d8c8b3186257bf75a61a552ec29776b5d4993f54e7b2ee
                                                                                                                                                                                            • Instruction Fuzzy Hash: D96224B0D04288DEDF10DFA8C9557EEBFB0AF15308F24415EE4456B282E7B85A84DBD6
                                                                                                                                                                                            Uniqueness

                                                                                                                                                                                            Uniqueness Score: -1.00%

                                                                                                                                                                                            Function 00407490 Relevance: 11.1, APIs: 1, Strings: 5, Instructions: 571COMMON
                                                                                                                                                                                            Download Yara Rule
                                                                                                                                                                                            APIs
                                                                                                                                                                                              • Part of subcall function 004778C0: ___std_fs_convert_narrow_to_wide@20.LIBCPMT ref: 00477949
                                                                                                                                                                                              • Part of subcall function 004778C0: ___std_fs_convert_narrow_to_wide@20.LIBCPMT ref: 00477991
                                                                                                                                                                                            • GetFileAttributesA.KERNELBASE(?), ref: 004077C1
                                                                                                                                                                                            Strings
                                                                                                                                                                                            Memory Dump Source
                                                                                                                                                                                            • Source File: 00000000.00000002.2499170949.0000000000400000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                                                            Joe Sandbox IDA Plugin
                                                                                                                                                                                            • Snapshot File: hcaresult_0_2_400000_dendy.jbxd
                                                                                                                                                                                            Yara matches
                                                                                                                                                                                            Similarity
                                                                                                                                                                                            • API ID: ___std_fs_convert_narrow_to_wide@20$AttributesFile
                                                                                                                                                                                            • String ID: $.zip$/$\$recursive_directory_iterator::recursive_directory_iterator
                                                                                                                                                                                            • API String ID: 2896367778-1520678085
                                                                                                                                                                                            • Opcode ID: 2fad60e87e1e802c277f3282e679dfa3b8b58277df00ea7f9a444588ff8a1a58
                                                                                                                                                                                            • Instruction ID: 83cbc35ccc226e9dfc96b22cc8f0aa30fdcd4d5be8d4862c17add94487e3c136
                                                                                                                                                                                            • Opcode Fuzzy Hash: 2fad60e87e1e802c277f3282e679dfa3b8b58277df00ea7f9a444588ff8a1a58
                                                                                                                                                                                            • Instruction Fuzzy Hash: 55429D70D05258DFDB10DFA8C9587DEBBB0BF15308F14819DE4097B282DB785A88CB96
                                                                                                                                                                                            Uniqueness

                                                                                                                                                                                            Uniqueness Score: -1.00%

                                                                                                                                                                                            Function 0046CA20 Relevance: 11.0, APIs: 4, Strings: 2, Instructions: 523COMMON
                                                                                                                                                                                            Download Yara Rule
                                                                                                                                                                                            APIs
                                                                                                                                                                                            • ___std_exception_destroy.LIBVCRUNTIME ref: 0046CCC0
                                                                                                                                                                                            • ___std_exception_destroy.LIBVCRUNTIME ref: 0046CCDA
                                                                                                                                                                                            • ___std_exception_destroy.LIBVCRUNTIME ref: 0046D09A
                                                                                                                                                                                            • ___std_exception_destroy.LIBVCRUNTIME ref: 0046D0B4
                                                                                                                                                                                            Strings
                                                                                                                                                                                            Memory Dump Source
                                                                                                                                                                                            • Source File: 00000000.00000002.2499170949.0000000000400000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                                                            Joe Sandbox IDA Plugin
                                                                                                                                                                                            • Snapshot File: hcaresult_0_2_400000_dendy.jbxd
                                                                                                                                                                                            Yara matches
                                                                                                                                                                                            Similarity
                                                                                                                                                                                            • API ID: ___std_exception_destroy
                                                                                                                                                                                            • String ID: .$value
                                                                                                                                                                                            • API String ID: 4194217158-1166439862
                                                                                                                                                                                            • Opcode ID: e496a2b897f4cc47c3c349c9a923896fd0130218f411de5472431c421e3b0241
                                                                                                                                                                                            • Instruction ID: 6bb52dc470a67732b65bfa6fba687dde157c2efc00668daf5dfdc611f465addf
                                                                                                                                                                                            • Opcode Fuzzy Hash: e496a2b897f4cc47c3c349c9a923896fd0130218f411de5472431c421e3b0241
                                                                                                                                                                                            • Instruction Fuzzy Hash: 09328D70D01288DEDB14CFA9C9547EEBBB1AF15304F24819EE458AB382E7785B48DF52
                                                                                                                                                                                            Uniqueness

                                                                                                                                                                                            Uniqueness Score: -1.00%

                                                                                                                                                                                            Function 004F1AC4 Relevance: 9.3, APIs: 6, Instructions: 292COMMONLIBRARYCODE
                                                                                                                                                                                            Download Yara Rule
                                                                                                                                                                                            Memory Dump Source
                                                                                                                                                                                            • Source File: 00000000.00000002.2499170949.0000000000400000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                                                            Joe Sandbox IDA Plugin
                                                                                                                                                                                            • Snapshot File: hcaresult_0_2_400000_dendy.jbxd
                                                                                                                                                                                            Yara matches
                                                                                                                                                                                            Similarity
                                                                                                                                                                                            • API ID:
                                                                                                                                                                                            • String ID:
                                                                                                                                                                                            • API String ID:
                                                                                                                                                                                            • Opcode ID: 712faec5eeebce6baaee8b13617faba26b3b358921950160ad50f9a09d9e58b7
                                                                                                                                                                                            • Instruction ID: e1f0bbcd43b77d7626f4e77856158d48870e96d21c9a9c54683f95f8a13591de
                                                                                                                                                                                            • Opcode Fuzzy Hash: 712faec5eeebce6baaee8b13617faba26b3b358921950160ad50f9a09d9e58b7
                                                                                                                                                                                            • Instruction Fuzzy Hash: D5B15974E0424CEFDB11DF99D880BBE7BB1AF56304F14415AE6049B3A2C778AD42CB69
                                                                                                                                                                                            Uniqueness

                                                                                                                                                                                            Uniqueness Score: -1.00%

                                                                                                                                                                                            Function 004EAC03 Relevance: 9.3, APIs: 6, Instructions: 285COMMON
                                                                                                                                                                                            Download Yara Rule
                                                                                                                                                                                            APIs
                                                                                                                                                                                            • __allrem.LIBCMT ref: 004EAD8B
                                                                                                                                                                                            • __ehfuncinfo$??2@YAPAXIABUnothrow_t@std@@@Z.LIBCMT ref: 004EADA7
                                                                                                                                                                                            • __allrem.LIBCMT ref: 004EADBE
                                                                                                                                                                                            • __ehfuncinfo$??2@YAPAXIABUnothrow_t@std@@@Z.LIBCMT ref: 004EADDC
                                                                                                                                                                                            • __allrem.LIBCMT ref: 004EADF3
                                                                                                                                                                                            • __ehfuncinfo$??2@YAPAXIABUnothrow_t@std@@@Z.LIBCMT ref: 004EAE11
                                                                                                                                                                                            Memory Dump Source
                                                                                                                                                                                            • Source File: 00000000.00000002.2499170949.0000000000400000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                                                            Joe Sandbox IDA Plugin
                                                                                                                                                                                            • Snapshot File: hcaresult_0_2_400000_dendy.jbxd
                                                                                                                                                                                            Yara matches
                                                                                                                                                                                            Similarity
                                                                                                                                                                                            • API ID: Unothrow_t@std@@@__allrem__ehfuncinfo$??2@
                                                                                                                                                                                            • String ID:
                                                                                                                                                                                            • API String ID: 1992179935-0
                                                                                                                                                                                            • Opcode ID: 71c8420f77c3c6b4205cd649fa68cc37f68444db08f8c9dfdfe450398f673b61
                                                                                                                                                                                            • Instruction ID: 1b3fea5176a95fd5fcec1025af7aaf911d8005413d807e00b03de1864a21ce91
                                                                                                                                                                                            • Opcode Fuzzy Hash: 71c8420f77c3c6b4205cd649fa68cc37f68444db08f8c9dfdfe450398f673b61
                                                                                                                                                                                            • Instruction Fuzzy Hash: E9811672A00B469BD7209B2FCC41B6B73E9AF40366F24462FF511C6381E778ED10879A
                                                                                                                                                                                            Uniqueness

                                                                                                                                                                                            Uniqueness Score: -1.00%

                                                                                                                                                                                            Function 0041D560 Relevance: 7.2, APIs: 3, Strings: 1, Instructions: 244libraryloadernetworkCOMMON
                                                                                                                                                                                            Download Yara Rule
                                                                                                                                                                                            APIs
                                                                                                                                                                                            • GetModuleHandleA.KERNEL32(Ws2_32.dll,?,?,?,?,?,?,?,?,?,?,00000000), ref: 0041D79A
                                                                                                                                                                                            • GetProcAddress.KERNEL32(00000000,D33E2D2A), ref: 0041D7A5
                                                                                                                                                                                            • WSASend.WS2_32(0000000F,00000000,00000001,00000000,00000000,00000000,00000000), ref: 0041D7BA
                                                                                                                                                                                            Strings
                                                                                                                                                                                            Memory Dump Source
                                                                                                                                                                                            • Source File: 00000000.00000002.2499170949.0000000000400000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                                                            Joe Sandbox IDA Plugin
                                                                                                                                                                                            • Snapshot File: hcaresult_0_2_400000_dendy.jbxd
                                                                                                                                                                                            Yara matches
                                                                                                                                                                                            Similarity
                                                                                                                                                                                            • API ID: AddressHandleModuleProcSend
                                                                                                                                                                                            • String ID: Ws2_32.dll
                                                                                                                                                                                            • API String ID: 2819740048-3093949381
                                                                                                                                                                                            • Opcode ID: 9517ec4b1f576d9da9d222c3615f595219f8e349a9d98ca48cb852c8f1395d60
                                                                                                                                                                                            • Instruction ID: c78504d2326526b64a61b18178364e1bfccedb5a55b1f6e357964f3563c7d9a6
                                                                                                                                                                                            • Opcode Fuzzy Hash: 9517ec4b1f576d9da9d222c3615f595219f8e349a9d98ca48cb852c8f1395d60
                                                                                                                                                                                            • Instruction Fuzzy Hash: 4BA177B0E00614DFCB24DF58C8447AEBBF0AF09714F18855EE86AAB381D738AD41CB95
                                                                                                                                                                                            Uniqueness

                                                                                                                                                                                            Uniqueness Score: -1.00%

                                                                                                                                                                                            Function 00414233 Relevance: 7.2, APIs: 3, Strings: 1, Instructions: 192fileCOMMON
                                                                                                                                                                                            Download Yara Rule
                                                                                                                                                                                            APIs
                                                                                                                                                                                            • CopyFileA.KERNEL32(?,?,00000000), ref: 00414337
                                                                                                                                                                                            • std::_Throw_Cpp_error.LIBCPMT ref: 00414482
                                                                                                                                                                                            • std::_Throw_Cpp_error.LIBCPMT ref: 00414493
                                                                                                                                                                                            Strings
                                                                                                                                                                                            Memory Dump Source
                                                                                                                                                                                            • Source File: 00000000.00000002.2499170949.0000000000400000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                                                            Joe Sandbox IDA Plugin
                                                                                                                                                                                            • Snapshot File: hcaresult_0_2_400000_dendy.jbxd
                                                                                                                                                                                            Yara matches
                                                                                                                                                                                            Similarity
                                                                                                                                                                                            • API ID: Cpp_errorThrow_std::_$CopyFile
                                                                                                                                                                                            • String ID: \
                                                                                                                                                                                            • API String ID: 4177132511-2967466578
                                                                                                                                                                                            • Opcode ID: f114192478a6e6d6ce68caa2ad7414d5d318043e3c530a0362308b7ada6f61e4
                                                                                                                                                                                            • Instruction ID: ec448d641316e2a3872437f4d92d0186c9a642a8506e38dff8007fdda78d9240
                                                                                                                                                                                            • Opcode Fuzzy Hash: f114192478a6e6d6ce68caa2ad7414d5d318043e3c530a0362308b7ada6f61e4
                                                                                                                                                                                            • Instruction Fuzzy Hash: 8681FC70D00288DFDF04DBE4D945BEDBBB4EF15308F20429EE41067292EBB81A48DB96
                                                                                                                                                                                            Uniqueness

                                                                                                                                                                                            Uniqueness Score: -1.00%

                                                                                                                                                                                            Function 004F4C09 Relevance: 7.0, APIs: 3, Strings: 1, Instructions: 17fileCOMMON
                                                                                                                                                                                            Download Yara Rule
                                                                                                                                                                                            APIs
                                                                                                                                                                                            • DeleteFileW.KERNELBASE(dN,?,004E64E1,?,?,?,00000000), ref: 004F4C11
                                                                                                                                                                                            • GetLastError.KERNEL32(?,004E64E1,?,?,?,00000000), ref: 004F4C1B
                                                                                                                                                                                            • __dosmaperr.LIBCMT ref: 004F4C22
                                                                                                                                                                                            Strings
                                                                                                                                                                                            Memory Dump Source
                                                                                                                                                                                            • Source File: 00000000.00000002.2499170949.0000000000400000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                                                            Joe Sandbox IDA Plugin
                                                                                                                                                                                            • Snapshot File: hcaresult_0_2_400000_dendy.jbxd
                                                                                                                                                                                            Yara matches
                                                                                                                                                                                            Similarity
                                                                                                                                                                                            • API ID: DeleteErrorFileLast__dosmaperr
                                                                                                                                                                                            • String ID: dN
                                                                                                                                                                                            • API String ID: 1545401867-1959024296
                                                                                                                                                                                            • Opcode ID: 5dc75ce04c15e295acdd42d31dd70232daf278466f7767e5e62d7905f0952de2
                                                                                                                                                                                            • Instruction ID: 75627c7e57507863508bb374b15be04f9f819f00b988c6ee8400558b9e74fa4a
                                                                                                                                                                                            • Opcode Fuzzy Hash: 5dc75ce04c15e295acdd42d31dd70232daf278466f7767e5e62d7905f0952de2
                                                                                                                                                                                            • Instruction Fuzzy Hash: A3D02232000508FB8B002BF2BC0C8573B1CDFD03393100A23F42CC05A0EE35C891A250
                                                                                                                                                                                            Uniqueness

                                                                                                                                                                                            Uniqueness Score: -1.00%

                                                                                                                                                                                            Function 00491300 Relevance: 6.1, APIs: 4, Instructions: 66fileCOMMON
                                                                                                                                                                                            Download Yara Rule
                                                                                                                                                                                            APIs
                                                                                                                                                                                            • SetFilePointer.KERNELBASE(?,?,?,00000000), ref: 0049131F
                                                                                                                                                                                            • GetLastError.KERNEL32 ref: 0049132A
                                                                                                                                                                                            • ReadFile.KERNELBASE(?,?,?,?,00000000), ref: 00491352
                                                                                                                                                                                            • GetLastError.KERNEL32 ref: 0049135C
                                                                                                                                                                                            Memory Dump Source
                                                                                                                                                                                            • Source File: 00000000.00000002.2499170949.0000000000400000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                                                            Joe Sandbox IDA Plugin
                                                                                                                                                                                            • Snapshot File: hcaresult_0_2_400000_dendy.jbxd
                                                                                                                                                                                            Yara matches
                                                                                                                                                                                            Similarity
                                                                                                                                                                                            • API ID: ErrorFileLast$PointerRead
                                                                                                                                                                                            • String ID:
                                                                                                                                                                                            • API String ID: 2170121939-0
                                                                                                                                                                                            • Opcode ID: fc66bafa82d2f8404cdf7c252faac411a51537015cb655470ecd5fc5aba69e13
                                                                                                                                                                                            • Instruction ID: 0b9ab4fa7100161e3312e7656db52f40096a583a722d5ee13f2c0e10fa81db1a
                                                                                                                                                                                            • Opcode Fuzzy Hash: fc66bafa82d2f8404cdf7c252faac411a51537015cb655470ecd5fc5aba69e13
                                                                                                                                                                                            • Instruction Fuzzy Hash: EA114632600509EBDB108FA9EC05BDABBA8EF55371F008267FD1CC6660E775D9609BD0
                                                                                                                                                                                            Uniqueness

                                                                                                                                                                                            Uniqueness Score: -1.00%

                                                                                                                                                                                            Function 0041EBA0 Relevance: 5.5, APIs: 1, Strings: 2, Instructions: 267fileCOMMON
                                                                                                                                                                                            Download Yara Rule
                                                                                                                                                                                            APIs
                                                                                                                                                                                              • Part of subcall function 0040AC70: __fread_nolock.LIBCMT ref: 0040AD44
                                                                                                                                                                                            • DeleteFileA.KERNELBASE(?), ref: 0041EC07
                                                                                                                                                                                            Strings
                                                                                                                                                                                            Memory Dump Source
                                                                                                                                                                                            • Source File: 00000000.00000002.2499170949.0000000000400000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                                                            Joe Sandbox IDA Plugin
                                                                                                                                                                                            • Snapshot File: hcaresult_0_2_400000_dendy.jbxd
                                                                                                                                                                                            Yara matches
                                                                                                                                                                                            Similarity
                                                                                                                                                                                            • API ID: DeleteFile__fread_nolock
                                                                                                                                                                                            • String ID: 3$LLO
                                                                                                                                                                                            • API String ID: 3901365830-3436979598
                                                                                                                                                                                            • Opcode ID: 28c52cacd2c957560e9c7c0415dc4790710b94966933ca8888bcb898eb906615
                                                                                                                                                                                            • Instruction ID: 9c1f0ea9d723b0c493cc9026af37a2a9db30951a99a2893970e01de627fa0d85
                                                                                                                                                                                            • Opcode Fuzzy Hash: 28c52cacd2c957560e9c7c0415dc4790710b94966933ca8888bcb898eb906615
                                                                                                                                                                                            • Instruction Fuzzy Hash: 46B1CE74E00249DFCB00DF65C804BEEBBB1AF45308F24819AE501AB382D779AE85DBD5
                                                                                                                                                                                            Uniqueness

                                                                                                                                                                                            Uniqueness Score: -1.00%

                                                                                                                                                                                            Function 004F293D Relevance: 5.4, APIs: 2, Strings: 1, Instructions: 196fileCOMMON
                                                                                                                                                                                            Download Yara Rule
                                                                                                                                                                                            APIs
                                                                                                                                                                                              • Part of subcall function 004F2053: GetConsoleOutputCP.KERNEL32(0FD0FE90,00000000,00000000,?), ref: 004F20B6
                                                                                                                                                                                            • WriteFile.KERNELBASE(?,00000000,004E6777,?,00000000,00000000,00000000,?,00000000,?,00000000,wgN,00000000,00000000,?,?), ref: 004F2AC2
                                                                                                                                                                                            • GetLastError.KERNEL32(?,004E6777,00000000,?,00000000,?,00000000,00000000), ref: 004F2ACC
                                                                                                                                                                                            Strings
                                                                                                                                                                                            Memory Dump Source
                                                                                                                                                                                            • Source File: 00000000.00000002.2499170949.0000000000400000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                                                            Joe Sandbox IDA Plugin
                                                                                                                                                                                            • Snapshot File: hcaresult_0_2_400000_dendy.jbxd
                                                                                                                                                                                            Yara matches
                                                                                                                                                                                            Similarity
                                                                                                                                                                                            • API ID: ConsoleErrorFileLastOutputWrite
                                                                                                                                                                                            • String ID: wgN
                                                                                                                                                                                            • API String ID: 2915228174-354891312
                                                                                                                                                                                            • Opcode ID: c4e0fab56aaa5aa668606d57f16693d2fff82ef8988b3cb834d35c0f5d62a876
                                                                                                                                                                                            • Instruction ID: 58ddb85c8bea4c2b3dbe3e5c994e5fd3db19d053895fb78a9c91e10694f9601d
                                                                                                                                                                                            • Opcode Fuzzy Hash: c4e0fab56aaa5aa668606d57f16693d2fff82ef8988b3cb834d35c0f5d62a876
                                                                                                                                                                                            • Instruction Fuzzy Hash: BB61A271D0011EAFDF11CFA8CA84EFEBBB9AF19304F14014AEA00A7255D3B9D906CB55
                                                                                                                                                                                            Uniqueness

                                                                                                                                                                                            Uniqueness Score: -1.00%

                                                                                                                                                                                            Function 00439A80 Relevance: 5.4, APIs: 2, Strings: 1, Instructions: 119COMMON
                                                                                                                                                                                            Download Yara Rule
                                                                                                                                                                                            APIs
                                                                                                                                                                                            • SHGetFolderPathA.SHELL32(00000000,0000001A,00000000,00000000,?), ref: 00439BA8
                                                                                                                                                                                            • GetPrivateProfileSectionNamesA.KERNEL32(?,00001000,?), ref: 00439C52
                                                                                                                                                                                            Strings
                                                                                                                                                                                            Memory Dump Source
                                                                                                                                                                                            • Source File: 00000000.00000002.2499170949.0000000000400000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                                                            Joe Sandbox IDA Plugin
                                                                                                                                                                                            • Snapshot File: hcaresult_0_2_400000_dendy.jbxd
                                                                                                                                                                                            Yara matches
                                                                                                                                                                                            Similarity
                                                                                                                                                                                            • API ID: FolderNamesPathPrivateProfileSection
                                                                                                                                                                                            • String ID: TbE
                                                                                                                                                                                            • API String ID: 2478605195-3720847194
                                                                                                                                                                                            • Opcode ID: e00a99a1756a195747ebc2d94fcb2e2f225bbe9d1b9e17b232250beeccc99cec
                                                                                                                                                                                            • Instruction ID: 439a41f54deddd431a1aaf7f453ea8ea4134e207f860afbb2d985c5b74ba0d84
                                                                                                                                                                                            • Opcode Fuzzy Hash: e00a99a1756a195747ebc2d94fcb2e2f225bbe9d1b9e17b232250beeccc99cec
                                                                                                                                                                                            • Instruction Fuzzy Hash: 55519D74905398DEDB10CBA4CD45BCDBBB8AF15304F1080D9E549AB282D7B86B88CF56
                                                                                                                                                                                            Uniqueness

                                                                                                                                                                                            Uniqueness Score: -1.00%

                                                                                                                                                                                            Function 004060E0 Relevance: 5.4, APIs: 2, Strings: 1, Instructions: 116COMMON
                                                                                                                                                                                            Download Yara Rule
                                                                                                                                                                                            APIs
                                                                                                                                                                                              • Part of subcall function 004DE42B: RaiseException.KERNEL32(E06D7363,00000001,00000003,0045DCD0,0045DCD0,?,?,004DAF37,0045DCD0,0053D744,00000000,0045DCD0,00000000,00000001), ref: 004DE48B
                                                                                                                                                                                            • ___std_fs_directory_iterator_open@12.LIBCPMT ref: 004061E8
                                                                                                                                                                                            • ___std_fs_directory_iterator_advance@8.LIBCPMT ref: 00406202
                                                                                                                                                                                            Strings
                                                                                                                                                                                            Memory Dump Source
                                                                                                                                                                                            • Source File: 00000000.00000002.2499170949.0000000000400000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                                                            Joe Sandbox IDA Plugin
                                                                                                                                                                                            • Snapshot File: hcaresult_0_2_400000_dendy.jbxd
                                                                                                                                                                                            Yara matches
                                                                                                                                                                                            Similarity
                                                                                                                                                                                            • API ID: ExceptionRaise___std_fs_directory_iterator_advance@8___std_fs_directory_iterator_open@12
                                                                                                                                                                                            • String ID: absolute
                                                                                                                                                                                            • API String ID: 1297148070-2799662678
                                                                                                                                                                                            • Opcode ID: 83d60d2f71de9d8f69fa5d81af5cafba3f0471d6c422f5ef9654ebbd380b6de7
                                                                                                                                                                                            • Instruction ID: df52e70302dbc25e70dbc729ec55d43ed626788b5323ae355475d9aa96fec0df
                                                                                                                                                                                            • Opcode Fuzzy Hash: 83d60d2f71de9d8f69fa5d81af5cafba3f0471d6c422f5ef9654ebbd380b6de7
                                                                                                                                                                                            • Instruction Fuzzy Hash: 9831D071900618ABCB20EF55C945AAFBBB8FF44764F00066AE815773C1DB38AA04CBE5
                                                                                                                                                                                            Uniqueness

                                                                                                                                                                                            Uniqueness Score: -1.00%

                                                                                                                                                                                            Function 0040B270 Relevance: 4.5, APIs: 3, Instructions: 45COMMON
                                                                                                                                                                                            Download Yara Rule
                                                                                                                                                                                            APIs
                                                                                                                                                                                            • CreateDirectoryA.KERNELBASE(?,00000000,00000005,?,?,0045E8D7,00000000,00000000,?,00000000), ref: 0040B2B5
                                                                                                                                                                                              • Part of subcall function 004DBDDA: ReleaseSRWLockExclusive.KERNEL32(?,DT,0040B6FD,005444E8,?,?,\*.*,00000004), ref: 004DBDEE
                                                                                                                                                                                            • std::_Throw_Cpp_error.LIBCPMT ref: 0040B2E4
                                                                                                                                                                                            • std::_Throw_Cpp_error.LIBCPMT ref: 0040B2F5
                                                                                                                                                                                            Memory Dump Source
                                                                                                                                                                                            • Source File: 00000000.00000002.2499170949.0000000000400000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                                                            Joe Sandbox IDA Plugin
                                                                                                                                                                                            • Snapshot File: hcaresult_0_2_400000_dendy.jbxd
                                                                                                                                                                                            Yara matches
                                                                                                                                                                                            Similarity
                                                                                                                                                                                            • API ID: Cpp_errorThrow_std::_$CreateDirectoryExclusiveLockRelease
                                                                                                                                                                                            • String ID:
                                                                                                                                                                                            • API String ID: 1881651058-0
                                                                                                                                                                                            • Opcode ID: 4aa31760ff55f9e8091e016fbf5db6d1ac4fd96c015ccc68c759aad941cf529b
                                                                                                                                                                                            • Instruction ID: 2083917a30228ff47c2f58c55b42abb2321d0377fce0ac6287103c5d37e315ef
                                                                                                                                                                                            • Opcode Fuzzy Hash: 4aa31760ff55f9e8091e016fbf5db6d1ac4fd96c015ccc68c759aad941cf529b
                                                                                                                                                                                            • Instruction Fuzzy Hash: E0F086B5980704EBDB209B5A9D06B9A7A98E702B38F11436FF435533D0E7755A00CAEA
                                                                                                                                                                                            Uniqueness

                                                                                                                                                                                            Uniqueness Score: -1.00%

                                                                                                                                                                                            Function 004EC819 Relevance: 4.5, APIs: 3, Instructions: 15COMMON
                                                                                                                                                                                            Download Yara Rule
                                                                                                                                                                                            APIs
                                                                                                                                                                                            • GetCurrentProcess.KERNEL32(?,?,004EC813,?,004E1C93,?,?,0FD0FE90,004E1C93,?), ref: 004EC82A
                                                                                                                                                                                            • TerminateProcess.KERNEL32(00000000,?,004EC813,?,004E1C93,?,?,0FD0FE90,004E1C93,?), ref: 004EC831
                                                                                                                                                                                            • ExitProcess.KERNEL32 ref: 004EC843
                                                                                                                                                                                            Memory Dump Source
                                                                                                                                                                                            • Source File: 00000000.00000002.2499170949.0000000000400000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                                                            Joe Sandbox IDA Plugin
                                                                                                                                                                                            • Snapshot File: hcaresult_0_2_400000_dendy.jbxd
                                                                                                                                                                                            Yara matches
                                                                                                                                                                                            Similarity
                                                                                                                                                                                            • API ID: Process$CurrentExitTerminate
                                                                                                                                                                                            • String ID:
                                                                                                                                                                                            • API String ID: 1703294689-0
                                                                                                                                                                                            • Opcode ID: 570eabad1b53be2d073ee1c841cabbe5f8cdf0a80e41f99a4d5a77ab8836c315
                                                                                                                                                                                            • Instruction ID: 441ef718a996dc58b5bae7a476c47dbc26188b301f5d8cdfa8241a9a43c48a8d
                                                                                                                                                                                            • Opcode Fuzzy Hash: 570eabad1b53be2d073ee1c841cabbe5f8cdf0a80e41f99a4d5a77ab8836c315
                                                                                                                                                                                            • Instruction Fuzzy Hash: AED05E32000544FBCF013F62DE4D8993F29BFA0347B448025B86549131DB79895AEA84
                                                                                                                                                                                            Uniqueness

                                                                                                                                                                                            Uniqueness Score: -1.00%

                                                                                                                                                                                            Function 0040AB40 Relevance: 3.6, APIs: 1, Strings: 1, Instructions: 95COMMON
                                                                                                                                                                                            Download Yara Rule
                                                                                                                                                                                            APIs
                                                                                                                                                                                            Strings
                                                                                                                                                                                            Memory Dump Source
                                                                                                                                                                                            • Source File: 00000000.00000002.2499170949.0000000000400000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                                                            Joe Sandbox IDA Plugin
                                                                                                                                                                                            • Snapshot File: hcaresult_0_2_400000_dendy.jbxd
                                                                                                                                                                                            Yara matches
                                                                                                                                                                                            Similarity
                                                                                                                                                                                            • API ID: __fread_nolock
                                                                                                                                                                                            • String ID: qZC
                                                                                                                                                                                            • API String ID: 2638373210-99843713
                                                                                                                                                                                            • Opcode ID: 76bdb592ddef706300133dbfa687927414c06cad877995d3f5d6c6de751250de
                                                                                                                                                                                            • Instruction ID: 3efdec9f11fb5ccab0b93a08b8835ae454c2da5b4ba630b013088ba2f123ba09
                                                                                                                                                                                            • Opcode Fuzzy Hash: 76bdb592ddef706300133dbfa687927414c06cad877995d3f5d6c6de751250de
                                                                                                                                                                                            • Instruction Fuzzy Hash: 8331B2709043459BDB20EF69C905B6FBBF4EF44704F10066EE5416B2C2D7B99A48CBD6
                                                                                                                                                                                            Uniqueness

                                                                                                                                                                                            Uniqueness Score: -1.00%

                                                                                                                                                                                            Function 00463650 Relevance: 3.2, APIs: 2, Instructions: 185COMMON
                                                                                                                                                                                            Download Yara Rule
                                                                                                                                                                                            APIs
                                                                                                                                                                                            Memory Dump Source
                                                                                                                                                                                            • Source File: 00000000.00000002.2499170949.0000000000400000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                                                            Joe Sandbox IDA Plugin
                                                                                                                                                                                            • Snapshot File: hcaresult_0_2_400000_dendy.jbxd
                                                                                                                                                                                            Yara matches
                                                                                                                                                                                            Similarity
                                                                                                                                                                                            • API ID: __fread_nolock
                                                                                                                                                                                            • String ID:
                                                                                                                                                                                            • API String ID: 2638373210-0
                                                                                                                                                                                            • Opcode ID: ec22e4f50313ced31549da422d7a857b29f27fbc93b2f98bdcf651741bea44c0
                                                                                                                                                                                            • Instruction ID: 79d947a9d222d8f0fc42436fae4463b375b8f25b2523b1e7cbdb0ad83c72afb4
                                                                                                                                                                                            • Opcode Fuzzy Hash: ec22e4f50313ced31549da422d7a857b29f27fbc93b2f98bdcf651741bea44c0
                                                                                                                                                                                            • Instruction Fuzzy Hash: FE618A766042459FCB14CF2DD88096AB7E1EF84325F0486AAFC18CB355EB35DD18CB9A
                                                                                                                                                                                            Uniqueness

                                                                                                                                                                                            Uniqueness Score: -1.00%

                                                                                                                                                                                            Function 004144E0 Relevance: 3.1, APIs: 2, Instructions: 128COMMON
                                                                                                                                                                                            Download Yara Rule
                                                                                                                                                                                            APIs
                                                                                                                                                                                            • std::_Throw_Cpp_error.LIBCPMT ref: 00414675
                                                                                                                                                                                            • std::_Throw_Cpp_error.LIBCPMT ref: 00414686
                                                                                                                                                                                            Memory Dump Source
                                                                                                                                                                                            • Source File: 00000000.00000002.2499170949.0000000000400000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                                                            Joe Sandbox IDA Plugin
                                                                                                                                                                                            • Snapshot File: hcaresult_0_2_400000_dendy.jbxd
                                                                                                                                                                                            Yara matches
                                                                                                                                                                                            Similarity
                                                                                                                                                                                            • API ID: Cpp_errorThrow_std::_
                                                                                                                                                                                            • String ID:
                                                                                                                                                                                            • API String ID: 2134207285-0
                                                                                                                                                                                            • Opcode ID: ac862eee7d6d7ce6c3a12efbee1ba40941964af439277532c0956238cae26ce1
                                                                                                                                                                                            • Instruction ID: d0c1233a766ed38641b4c07237d350fd222a008ab52e14fa55b74dcab28789ba
                                                                                                                                                                                            • Opcode Fuzzy Hash: ac862eee7d6d7ce6c3a12efbee1ba40941964af439277532c0956238cae26ce1
                                                                                                                                                                                            • Instruction Fuzzy Hash: BB411375E00205CBCB24DF6CD8017AEB7B2FB91708F05062EE815A7392DB78A984DBD4
                                                                                                                                                                                            Uniqueness

                                                                                                                                                                                            Uniqueness Score: -1.00%

                                                                                                                                                                                            Function 00406150 Relevance: 3.1, APIs: 2, Instructions: 100COMMON
                                                                                                                                                                                            Download Yara Rule
                                                                                                                                                                                            APIs
                                                                                                                                                                                            • ___std_fs_directory_iterator_open@12.LIBCPMT ref: 004061E8
                                                                                                                                                                                            • ___std_fs_directory_iterator_advance@8.LIBCPMT ref: 00406202
                                                                                                                                                                                            Memory Dump Source
                                                                                                                                                                                            • Source File: 00000000.00000002.2499170949.0000000000400000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                                                            Joe Sandbox IDA Plugin
                                                                                                                                                                                            • Snapshot File: hcaresult_0_2_400000_dendy.jbxd
                                                                                                                                                                                            Yara matches
                                                                                                                                                                                            Similarity
                                                                                                                                                                                            • API ID: ___std_fs_directory_iterator_advance@8___std_fs_directory_iterator_open@12
                                                                                                                                                                                            • String ID:
                                                                                                                                                                                            • API String ID: 3016148460-0
                                                                                                                                                                                            • Opcode ID: 199b10b5cbcfc3bac638bdf402b44041a05770ed40428cdac618f3dde5b17595
                                                                                                                                                                                            • Instruction ID: d4caf346f189b166542986bb95bd81797666f76ba9d979eef76578570dd901e2
                                                                                                                                                                                            • Opcode Fuzzy Hash: 199b10b5cbcfc3bac638bdf402b44041a05770ed40428cdac618f3dde5b17595
                                                                                                                                                                                            • Instruction Fuzzy Hash: 1D31D072A00618ABCB24EF49D851BAEB7B4EF84764F01066FEC1663780DB396D14CAD4
                                                                                                                                                                                            Uniqueness

                                                                                                                                                                                            Uniqueness Score: -1.00%

                                                                                                                                                                                            Function 004F4253 Relevance: 3.0, APIs: 2, Instructions: 22memoryCOMMONLIBRARYCODE
                                                                                                                                                                                            Download Yara Rule
                                                                                                                                                                                            APIs
                                                                                                                                                                                            • RtlFreeHeap.NTDLL(00000000,00000000,?,004FAD87,004E60B3,00000000,004E60B3,?,004FB028,004E60B3,00000007,004E60B3,?,004FB51C,004E60B3,004E60B3), ref: 004F4269
                                                                                                                                                                                            • GetLastError.KERNEL32(004E60B3,?,004FAD87,004E60B3,00000000,004E60B3,?,004FB028,004E60B3,00000007,004E60B3,?,004FB51C,004E60B3,004E60B3), ref: 004F4274
                                                                                                                                                                                            Memory Dump Source
                                                                                                                                                                                            • Source File: 00000000.00000002.2499170949.0000000000400000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                                                            Joe Sandbox IDA Plugin
                                                                                                                                                                                            • Snapshot File: hcaresult_0_2_400000_dendy.jbxd
                                                                                                                                                                                            Yara matches
                                                                                                                                                                                            Similarity
                                                                                                                                                                                            • API ID: ErrorFreeHeapLast
                                                                                                                                                                                            • String ID:
                                                                                                                                                                                            • API String ID: 485612231-0
                                                                                                                                                                                            • Opcode ID: 8b73b785357b2346bfa9b41464cc3ad5fe5b38bc98d19c64144e2217278180d9
                                                                                                                                                                                            • Instruction ID: ea2134de0cf5f8181c31f49d7920a3ecd8334c799a4adc26afd63096a676bfd3
                                                                                                                                                                                            • Opcode Fuzzy Hash: 8b73b785357b2346bfa9b41464cc3ad5fe5b38bc98d19c64144e2217278180d9
                                                                                                                                                                                            • Instruction Fuzzy Hash: 62E08632100614A7CB112BA5AC0C7DE3F98AF80395F028476F60C86160EA3898649798
                                                                                                                                                                                            Uniqueness

                                                                                                                                                                                            Uniqueness Score: -1.00%

                                                                                                                                                                                            Function 00462D20 Relevance: 1.8, APIs: 1, Instructions: 261COMMON
                                                                                                                                                                                            Download Yara Rule
                                                                                                                                                                                            APIs
                                                                                                                                                                                            • Concurrency::cancel_current_task.LIBCPMT ref: 00463084
                                                                                                                                                                                            Memory Dump Source
                                                                                                                                                                                            • Source File: 00000000.00000002.2499170949.0000000000400000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                                                            Joe Sandbox IDA Plugin
                                                                                                                                                                                            • Snapshot File: hcaresult_0_2_400000_dendy.jbxd
                                                                                                                                                                                            Yara matches
                                                                                                                                                                                            Similarity
                                                                                                                                                                                            • API ID: Concurrency::cancel_current_task
                                                                                                                                                                                            • String ID:
                                                                                                                                                                                            • API String ID: 118556049-0
                                                                                                                                                                                            • Opcode ID: 0040cee60ca297e69843916d9e08cedfca06c9dd066ab9114cb05fc50e05205c
                                                                                                                                                                                            • Instruction ID: 59b4687fba2c297bc731340152e5b068dfc9242d9b83cc7db5c654b00a7a6a14
                                                                                                                                                                                            • Opcode Fuzzy Hash: 0040cee60ca297e69843916d9e08cedfca06c9dd066ab9114cb05fc50e05205c
                                                                                                                                                                                            • Instruction Fuzzy Hash: 66C139B0901249DFDB00CF69C54479DFBF0AF49314F28C1AEE458AB381E37A9A45CB95
                                                                                                                                                                                            Uniqueness

                                                                                                                                                                                            Uniqueness Score: -1.00%

                                                                                                                                                                                            Function 00473140 Relevance: 1.7, APIs: 1, Instructions: 162COMMON
                                                                                                                                                                                            Download Yara Rule
                                                                                                                                                                                            APIs
                                                                                                                                                                                            • Concurrency::cancel_current_task.LIBCPMT ref: 004732BF
                                                                                                                                                                                            Memory Dump Source
                                                                                                                                                                                            • Source File: 00000000.00000002.2499170949.0000000000400000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                                                            Joe Sandbox IDA Plugin
                                                                                                                                                                                            • Snapshot File: hcaresult_0_2_400000_dendy.jbxd
                                                                                                                                                                                            Yara matches
                                                                                                                                                                                            Similarity
                                                                                                                                                                                            • API ID: Concurrency::cancel_current_task
                                                                                                                                                                                            • String ID:
                                                                                                                                                                                            • API String ID: 118556049-0
                                                                                                                                                                                            • Opcode ID: 150b7637050e69aef51a16e820c71c3c63b1338bb9b03a6eedc2294d11a0e4c1
                                                                                                                                                                                            • Instruction ID: aa5b3fa2fee637667061d727e0b6404d379ff605ea095809ed05f8f8f5eeafac
                                                                                                                                                                                            • Opcode Fuzzy Hash: 150b7637050e69aef51a16e820c71c3c63b1338bb9b03a6eedc2294d11a0e4c1
                                                                                                                                                                                            • Instruction Fuzzy Hash: 3851A471E001159FCB08DF69C941AEEB7F5AF98300F14816EE809E7396EB38DE058795
                                                                                                                                                                                            Uniqueness

                                                                                                                                                                                            Uniqueness Score: -1.00%

                                                                                                                                                                                            Function 004E2032 Relevance: 1.7, APIs: 1, Instructions: 157COMMON
                                                                                                                                                                                            Download Yara Rule
                                                                                                                                                                                            Memory Dump Source
                                                                                                                                                                                            • Source File: 00000000.00000002.2499170949.0000000000400000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                                                            Joe Sandbox IDA Plugin
                                                                                                                                                                                            • Snapshot File: hcaresult_0_2_400000_dendy.jbxd
                                                                                                                                                                                            Yara matches
                                                                                                                                                                                            Similarity
                                                                                                                                                                                            • API ID:
                                                                                                                                                                                            • String ID:
                                                                                                                                                                                            • API String ID:
                                                                                                                                                                                            • Opcode ID: ca496ef47f0e7f3bd31ff4d0c6dd67ba7ae3da1b984ba6e74bea7cea9b832298
                                                                                                                                                                                            • Instruction ID: a945f24e44b28e743e936d21751d2e95920c4c00ec505ba9b30c130e86fbcea3
                                                                                                                                                                                            • Opcode Fuzzy Hash: ca496ef47f0e7f3bd31ff4d0c6dd67ba7ae3da1b984ba6e74bea7cea9b832298
                                                                                                                                                                                            • Instruction Fuzzy Hash: 6151F670A00284AFDF14CF5ACD81AAABFB5EF45315F24815AF9085B352C3B5DE41CB94
                                                                                                                                                                                            Uniqueness

                                                                                                                                                                                            Uniqueness Score: -1.00%

                                                                                                                                                                                            Function 0043E990 Relevance: 1.6, APIs: 1, Instructions: 143COMMON
                                                                                                                                                                                            Download Yara Rule
                                                                                                                                                                                            APIs
                                                                                                                                                                                            • SHGetFolderPathA.SHELL32(00000000,0000001A,00000000,00000000,?), ref: 0043E9E1
                                                                                                                                                                                            Memory Dump Source
                                                                                                                                                                                            • Source File: 00000000.00000002.2499170949.0000000000400000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                                                            Joe Sandbox IDA Plugin
                                                                                                                                                                                            • Snapshot File: hcaresult_0_2_400000_dendy.jbxd
                                                                                                                                                                                            Yara matches
                                                                                                                                                                                            Similarity
                                                                                                                                                                                            • API ID: FolderPath
                                                                                                                                                                                            • String ID:
                                                                                                                                                                                            • API String ID: 1514166925-0
                                                                                                                                                                                            • Opcode ID: 00292a1e1a46c6d08b35fa9810c9ef956cd47fc03e01ceeaba4aa248ee264165
                                                                                                                                                                                            • Instruction ID: 36d381137addb5946eb5037d73dfdd92bc489d8c6fa9d9ee1390ad8f6e1c4cd5
                                                                                                                                                                                            • Opcode Fuzzy Hash: 00292a1e1a46c6d08b35fa9810c9ef956cd47fc03e01ceeaba4aa248ee264165
                                                                                                                                                                                            • Instruction Fuzzy Hash: 0C512970C04298CAEB14DF64C949BEDB770AF16304F1082DDD0992B2D2DBB91A89CF65
                                                                                                                                                                                            Uniqueness

                                                                                                                                                                                            Uniqueness Score: -1.00%

                                                                                                                                                                                            Function 0040AD80 Relevance: 1.6, APIs: 1, Instructions: 92COMMON
                                                                                                                                                                                            Download Yara Rule
                                                                                                                                                                                            APIs
                                                                                                                                                                                            Memory Dump Source
                                                                                                                                                                                            • Source File: 00000000.00000002.2499170949.0000000000400000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                                                            Joe Sandbox IDA Plugin
                                                                                                                                                                                            • Snapshot File: hcaresult_0_2_400000_dendy.jbxd
                                                                                                                                                                                            Yara matches
                                                                                                                                                                                            Similarity
                                                                                                                                                                                            • API ID: __fread_nolock
                                                                                                                                                                                            • String ID:
                                                                                                                                                                                            • API String ID: 2638373210-0
                                                                                                                                                                                            • Opcode ID: ce8c8d26a6cf1203399e48e3489b41464c0ac9c413dfbd9d240d27beddf010ef
                                                                                                                                                                                            • Instruction ID: c702d2e50921a8ae65e55aa74d458528cfbe078649856ca03a733f80a4f7abb2
                                                                                                                                                                                            • Opcode Fuzzy Hash: ce8c8d26a6cf1203399e48e3489b41464c0ac9c413dfbd9d240d27beddf010ef
                                                                                                                                                                                            • Instruction Fuzzy Hash: 4D31E770900344EBDB10EF6AC945B9F7BA8EF44754F10006EF505AB2C2D7B99A45CBD5
                                                                                                                                                                                            Uniqueness

                                                                                                                                                                                            Uniqueness Score: -1.00%

                                                                                                                                                                                            Function 0040AC70 Relevance: 1.6, APIs: 1, Instructions: 89COMMON
                                                                                                                                                                                            Download Yara Rule
                                                                                                                                                                                            APIs
                                                                                                                                                                                            Memory Dump Source
                                                                                                                                                                                            • Source File: 00000000.00000002.2499170949.0000000000400000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                                                            Joe Sandbox IDA Plugin
                                                                                                                                                                                            • Snapshot File: hcaresult_0_2_400000_dendy.jbxd
                                                                                                                                                                                            Yara matches
                                                                                                                                                                                            Similarity
                                                                                                                                                                                            • API ID: __fread_nolock
                                                                                                                                                                                            • String ID:
                                                                                                                                                                                            • API String ID: 2638373210-0
                                                                                                                                                                                            • Opcode ID: 3b50b9f4432160aaeec5eb5c4487fedfe5dbb325632b8fe68e188bd048fdc69b
                                                                                                                                                                                            • Instruction ID: 372facd2f6f90403c542fea89f6ff45e59fd47fada9579d09d9ccc480ef049f9
                                                                                                                                                                                            • Opcode Fuzzy Hash: 3b50b9f4432160aaeec5eb5c4487fedfe5dbb325632b8fe68e188bd048fdc69b
                                                                                                                                                                                            • Instruction Fuzzy Hash: 2831F470900248EBDB10EF69DD45B9F7BA8EF44748F10046EF405AB2C2D7B98A05CB95
                                                                                                                                                                                            Uniqueness

                                                                                                                                                                                            Uniqueness Score: -1.00%

                                                                                                                                                                                            Function 004F4C31 Relevance: 1.5, APIs: 1, Instructions: 44memoryCOMMON
                                                                                                                                                                                            Download Yara Rule
                                                                                                                                                                                            APIs
                                                                                                                                                                                              • Part of subcall function 004F42CD: RtlAllocateHeap.NTDLL(00000000,004F9713,4D88C033,?,004F9713,00000220,?,004F2C8F,4D88C033), ref: 004F42FF
                                                                                                                                                                                            • RtlReAllocateHeap.NTDLL(00000000,00000000,?,004EF921,00000000,?,004FA453,00000000,004EF921,00000012,00000001,?,?,004EF71B,00000001,00000012), ref: 004F4C8E
                                                                                                                                                                                            Memory Dump Source
                                                                                                                                                                                            • Source File: 00000000.00000002.2499170949.0000000000400000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                                                            Joe Sandbox IDA Plugin
                                                                                                                                                                                            • Snapshot File: hcaresult_0_2_400000_dendy.jbxd
                                                                                                                                                                                            Yara matches
                                                                                                                                                                                            Similarity
                                                                                                                                                                                            • API ID: AllocateHeap
                                                                                                                                                                                            • String ID:
                                                                                                                                                                                            • API String ID: 1279760036-0
                                                                                                                                                                                            • Opcode ID: 2e7b996dfa0404416d11db56eea4719c29d833f3cb97030e177712381e300773
                                                                                                                                                                                            • Instruction ID: c197068544b6a74edd42beafa1091b609f8eeec5afa400caf0f2e88d1c1e41a9
                                                                                                                                                                                            • Opcode Fuzzy Hash: 2e7b996dfa0404416d11db56eea4719c29d833f3cb97030e177712381e300773
                                                                                                                                                                                            • Instruction Fuzzy Hash: BBF0FC3610219DA6C7212A23AC04F7F37589FC2775B17512BFB28962A1EF3CC80155AD
                                                                                                                                                                                            Uniqueness

                                                                                                                                                                                            Uniqueness Score: -1.00%

                                                                                                                                                                                            Function 004F42CD Relevance: 1.5, APIs: 1, Instructions: 32memoryCOMMONLIBRARYCODE
                                                                                                                                                                                            Download Yara Rule
                                                                                                                                                                                            APIs
                                                                                                                                                                                            • RtlAllocateHeap.NTDLL(00000000,004F9713,4D88C033,?,004F9713,00000220,?,004F2C8F,4D88C033), ref: 004F42FF
                                                                                                                                                                                            Memory Dump Source
                                                                                                                                                                                            • Source File: 00000000.00000002.2499170949.0000000000400000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                                                            Joe Sandbox IDA Plugin
                                                                                                                                                                                            • Snapshot File: hcaresult_0_2_400000_dendy.jbxd
                                                                                                                                                                                            Yara matches
                                                                                                                                                                                            Similarity
                                                                                                                                                                                            • API ID: AllocateHeap
                                                                                                                                                                                            • String ID:
                                                                                                                                                                                            • API String ID: 1279760036-0
                                                                                                                                                                                            • Opcode ID: 2198638593cbac858731316a311480fbe239b50477190752b525c17ad8c2d171
                                                                                                                                                                                            • Instruction ID: 89252cde3629954a7dd651662e79814aadfa885b8aeb937b2ffe9774318fd193
                                                                                                                                                                                            • Opcode Fuzzy Hash: 2198638593cbac858731316a311480fbe239b50477190752b525c17ad8c2d171
                                                                                                                                                                                            • Instruction Fuzzy Hash: 23E0A02530421896D63126AA9C04BBB3A489BC23B8F160167BF0596291DF2CCC0181FE
                                                                                                                                                                                            Uniqueness

                                                                                                                                                                                            Uniqueness Score: -1.00%

                                                                                                                                                                                            Function 004EF889 Relevance: 1.5, APIs: 1, Instructions: 20COMMON
                                                                                                                                                                                            Download Yara Rule
                                                                                                                                                                                            APIs
                                                                                                                                                                                            Memory Dump Source
                                                                                                                                                                                            • Source File: 00000000.00000002.2499170949.0000000000400000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                                                            Joe Sandbox IDA Plugin
                                                                                                                                                                                            • Snapshot File: hcaresult_0_2_400000_dendy.jbxd
                                                                                                                                                                                            Yara matches
                                                                                                                                                                                            Similarity
                                                                                                                                                                                            • API ID: H_prolog3
                                                                                                                                                                                            • String ID:
                                                                                                                                                                                            • API String ID: 431132790-0
                                                                                                                                                                                            • Opcode ID: 642ab808bc47696ae728f0514146959be3b190675648a466094860987fb1a248
                                                                                                                                                                                            • Instruction ID: 6774f2ffb1e86b77a5a3f95ea0b65f3d51a0f57c6d64d54c353970c0c04ae7a7
                                                                                                                                                                                            • Opcode Fuzzy Hash: 642ab808bc47696ae728f0514146959be3b190675648a466094860987fb1a248
                                                                                                                                                                                            • Instruction Fuzzy Hash: 66E09AB6C0020DAADB00DFD5C452BEFBBFCAB08304F50412BA205E7141EA7857858BE1
                                                                                                                                                                                            Uniqueness

                                                                                                                                                                                            Uniqueness Score: -1.00%

                                                                                                                                                                                            Function 004EBBBC Relevance: 1.5, APIs: 1, Instructions: 15fileCOMMONLIBRARYCODE
                                                                                                                                                                                            Download Yara Rule
                                                                                                                                                                                            APIs
                                                                                                                                                                                            • CreateFileW.KERNELBASE(?,?,?,?,?,?,00000000), ref: 004EBBD9
                                                                                                                                                                                            Memory Dump Source
                                                                                                                                                                                            • Source File: 00000000.00000002.2499170949.0000000000400000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                                                            Joe Sandbox IDA Plugin
                                                                                                                                                                                            • Snapshot File: hcaresult_0_2_400000_dendy.jbxd
                                                                                                                                                                                            Yara matches
                                                                                                                                                                                            Similarity
                                                                                                                                                                                            • API ID: CreateFile
                                                                                                                                                                                            • String ID:
                                                                                                                                                                                            • API String ID: 823142352-0
                                                                                                                                                                                            • Opcode ID: 5bacf90617f034da2893445faaeab56ee3b919b783a427b181f714fcfbce91ee
                                                                                                                                                                                            • Instruction ID: 68ba10a0c8402e923ab1748f6cde1fcb114169dd3f62df60daf3c7347e77fc85
                                                                                                                                                                                            • Opcode Fuzzy Hash: 5bacf90617f034da2893445faaeab56ee3b919b783a427b181f714fcfbce91ee
                                                                                                                                                                                            • Instruction Fuzzy Hash: 68D06C3205010DFBDF028F84DC06EDA3BAAFB88714F018000BA5856120C732E821EB90
                                                                                                                                                                                            Uniqueness

                                                                                                                                                                                            Uniqueness Score: -1.00%

                                                                                                                                                                                            Function 0043CA61 Relevance: 1.5, APIs: 1, Instructions: 9COMMON
                                                                                                                                                                                            Download Yara Rule
                                                                                                                                                                                            APIs
                                                                                                                                                                                            • FreeLibrary.KERNELBASE(6C630000), ref: 0043CA73
                                                                                                                                                                                            Memory Dump Source
                                                                                                                                                                                            • Source File: 00000000.00000002.2499170949.0000000000400000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                                                            Joe Sandbox IDA Plugin
                                                                                                                                                                                            • Snapshot File: hcaresult_0_2_400000_dendy.jbxd
                                                                                                                                                                                            Yara matches
                                                                                                                                                                                            Similarity
                                                                                                                                                                                            • API ID: FreeLibrary
                                                                                                                                                                                            • String ID:
                                                                                                                                                                                            • API String ID: 3664257935-0
                                                                                                                                                                                            • Opcode ID: 1b817b431e1bcb8b8660f8d52eba7c158e344ec8198f08c13cc3c16a208e3d83
                                                                                                                                                                                            • Instruction ID: c2aff94c4f18faa8c51ba634006d0e3fc72a7f72d38d24f3f513cb8b6753d3b2
                                                                                                                                                                                            • Opcode Fuzzy Hash: 1b817b431e1bcb8b8660f8d52eba7c158e344ec8198f08c13cc3c16a208e3d83
                                                                                                                                                                                            • Instruction Fuzzy Hash: 9EC0805844C7C19BD70283704C0C3DEFF547B37308F8800879544D5196F27CC018D611
                                                                                                                                                                                            Uniqueness

                                                                                                                                                                                            Uniqueness Score: -1.00%

                                                                                                                                                                                            Function 0043CA60 Relevance: 1.5, APIs: 1, Instructions: 9COMMON
                                                                                                                                                                                            Download Yara Rule
                                                                                                                                                                                            APIs
                                                                                                                                                                                            • FreeLibrary.KERNELBASE(6C630000), ref: 0043CA73
                                                                                                                                                                                            Memory Dump Source
                                                                                                                                                                                            • Source File: 00000000.00000002.2499170949.0000000000400000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                                                            Joe Sandbox IDA Plugin
                                                                                                                                                                                            • Snapshot File: hcaresult_0_2_400000_dendy.jbxd
                                                                                                                                                                                            Yara matches
                                                                                                                                                                                            Similarity
                                                                                                                                                                                            • API ID: FreeLibrary
                                                                                                                                                                                            • String ID:
                                                                                                                                                                                            • API String ID: 3664257935-0
                                                                                                                                                                                            • Opcode ID: f8c40282056245796d7f5b5903a6d79a5f33a872c032442f370485422ea39e21
                                                                                                                                                                                            • Instruction ID: 6f1538f3c83fda123e057c8c8b71c8c1581e6641b9bb3c2eae2c166c88091a8e
                                                                                                                                                                                            • Opcode Fuzzy Hash: f8c40282056245796d7f5b5903a6d79a5f33a872c032442f370485422ea39e21
                                                                                                                                                                                            • Instruction Fuzzy Hash: 47C01228184381AAE702D774AC4C39B3AA8732B308F485046A548AA2A0C2388818EB60
                                                                                                                                                                                            Uniqueness

                                                                                                                                                                                            Uniqueness Score: -1.00%

                                                                                                                                                                                            Function 0041E890 Relevance: 1.3, APIs: 1, Instructions: 43sleepCOMMON
                                                                                                                                                                                            Download Yara Rule
                                                                                                                                                                                            APIs
                                                                                                                                                                                            • Sleep.KERNEL32(00000065,?,?,?,?,?,?,?,?,?,?,?,?,?), ref: 0041E907
                                                                                                                                                                                            Memory Dump Source
                                                                                                                                                                                            • Source File: 00000000.00000002.2499170949.0000000000400000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                                                            Joe Sandbox IDA Plugin
                                                                                                                                                                                            • Snapshot File: hcaresult_0_2_400000_dendy.jbxd
                                                                                                                                                                                            Yara matches
                                                                                                                                                                                            Similarity
                                                                                                                                                                                            • API ID: Sleep
                                                                                                                                                                                            • String ID:
                                                                                                                                                                                            • API String ID: 3472027048-0
                                                                                                                                                                                            • Opcode ID: 4e61a29468601ae107fcbb5908c62a8ddce1d426291d1a0b980b0851b5dfc28d
                                                                                                                                                                                            • Instruction ID: 2d83a94df2baf58943d0f3b62cebef5c529e926cc23f22bb3e5c921deb1b50d4
                                                                                                                                                                                            • Opcode Fuzzy Hash: 4e61a29468601ae107fcbb5908c62a8ddce1d426291d1a0b980b0851b5dfc28d
                                                                                                                                                                                            • Instruction Fuzzy Hash: CC0170B6D40644ABE720AF599C0ABAE7B54E742B28F14024EE5141B3C1D778184497C6
                                                                                                                                                                                            Uniqueness

                                                                                                                                                                                            Uniqueness Score: -1.00%

                                                                                                                                                                                            Function 0041E930 Relevance: 1.3, APIs: 1, Instructions: 43sleepCOMMON
                                                                                                                                                                                            Download Yara Rule
                                                                                                                                                                                            APIs
                                                                                                                                                                                            • Sleep.KERNEL32(00000065,?,?,?,?,?,?,?,?,?,?,?,?,?), ref: 0041E9A7
                                                                                                                                                                                            Memory Dump Source
                                                                                                                                                                                            • Source File: 00000000.00000002.2499170949.0000000000400000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                                                            Joe Sandbox IDA Plugin
                                                                                                                                                                                            • Snapshot File: hcaresult_0_2_400000_dendy.jbxd
                                                                                                                                                                                            Yara matches
                                                                                                                                                                                            Similarity
                                                                                                                                                                                            • API ID: Sleep
                                                                                                                                                                                            • String ID:
                                                                                                                                                                                            • API String ID: 3472027048-0
                                                                                                                                                                                            • Opcode ID: c71fed6dc4406716ad3e82436c4be857b3d0207b63c57079c4abe8ad12ac6a00
                                                                                                                                                                                            • Instruction ID: c0ebd88b23e82388457c6e033b9a36544d288d880ff3c5bc3782192cdc59a11b
                                                                                                                                                                                            • Opcode Fuzzy Hash: c71fed6dc4406716ad3e82436c4be857b3d0207b63c57079c4abe8ad12ac6a00
                                                                                                                                                                                            • Instruction Fuzzy Hash: C80170B6E50644ABD720AB598C06BAE7B64E741B28F14024EE5181B3C1D77818448BC5
                                                                                                                                                                                            Uniqueness

                                                                                                                                                                                            Uniqueness Score: -1.00%

                                                                                                                                                                                            Function 0041E9D0 Relevance: 1.3, APIs: 1, Instructions: 43sleepCOMMON
                                                                                                                                                                                            Download Yara Rule
                                                                                                                                                                                            APIs
                                                                                                                                                                                            • Sleep.KERNEL32(00000065,?,?,?,?,?,?,?,?,?,?,?,?), ref: 0041EA47
                                                                                                                                                                                            Memory Dump Source
                                                                                                                                                                                            • Source File: 00000000.00000002.2499170949.0000000000400000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                                                            Joe Sandbox IDA Plugin
                                                                                                                                                                                            • Snapshot File: hcaresult_0_2_400000_dendy.jbxd
                                                                                                                                                                                            Yara matches
                                                                                                                                                                                            Similarity
                                                                                                                                                                                            • API ID: Sleep
                                                                                                                                                                                            • String ID:
                                                                                                                                                                                            • API String ID: 3472027048-0
                                                                                                                                                                                            • Opcode ID: 294e3994608df9d2247225b855f5deb84c7bf25973ab743ac96f85c4bcd2010b
                                                                                                                                                                                            • Instruction ID: 0d7175a4dc27f87d51934cd4431bd18cdaf37a0565b35fbcc2f8f436f7c141fc
                                                                                                                                                                                            • Opcode Fuzzy Hash: 294e3994608df9d2247225b855f5deb84c7bf25973ab743ac96f85c4bcd2010b
                                                                                                                                                                                            • Instruction Fuzzy Hash: D5017B75E44784AFD720EB59DC06BAEBBA4EB51B28F04024EF5142B7C1D7B8184487C5
                                                                                                                                                                                            Uniqueness

                                                                                                                                                                                            Uniqueness Score: -1.00%