Joe Sandbox Cloud Basic Analysis Report

Loading Joe Sandbox Report ...

Edit tour

Windows Analysis Report
file.exe

Overview

General Information

Sample name:file.exe
Analysis ID:1427905
MD5:265d5b8b9f603f0f5ef62f2c27449607
SHA1:39576d6d8388dea489946141dbccf9cf5fe3a28f
SHA256:948d096a3931a22f116b93ffeefb3a374834d8eb578620c0ffc83f3e468eed81
Tags:exe
Infos:

Detection

RisePro Stealer
Score:100
Range:0 - 100
Whitelisted:false
Confidence:100%

Signatures

Antivirus / Scanner detection for submitted sample
Antivirus detection for URL or domain
Antivirus detection for dropped file
Detected unpacking (changes PE section rights)
Detected unpacking (overwrites its own PE header)
Malicious sample detected (through community Yara rule)
Multi AV Scanner detection for domain / URL
Multi AV Scanner detection for dropped file
Multi AV Scanner detection for submitted file
Snort IDS alert for network traffic
Yara detected RisePro Stealer
Connects to many ports of the same IP (likely port scanning)
Contains functionality to inject threads in other processes
Country aware sample found (crashes after keyboard check)
Found API chain indicative of sandbox detection
Found evasive API chain (may stop execution after checking mutex)
Found evasive API chain (may stop execution after reading information in the PEB, e.g. number of processors)
Found many strings related to Crypto-Wallets (likely being stolen)
Found stalling execution ending in API Sleep call
Machine Learning detection for dropped file
Machine Learning detection for sample
Tries to harvest and steal browser information (history, passwords, etc)
Tries to steal Mail credentials (via file / registry access)
Uses schtasks.exe or at.exe to add and modify task schedules
AV process strings found (often used to terminate AV products)
Checks if the current process is being debugged
Contains functionality to check if a debugger is running (IsDebuggerPresent)
Contains functionality to check if a debugger is running (OutputDebugString,GetLastError)
Contains functionality to detect sandboxes (mouse cursor move detection)
Contains functionality to dynamically determine API calls
Contains functionality to query CPU information (cpuid)
Contains functionality to query locales information (e.g. system language)
Contains functionality to read the PEB
Contains functionality which may be used to detect a debugger (GetProcessHeap)
Detected TCP or UDP traffic on non-standard ports
Detected potential crypto function
Drops PE files
Drops PE files to the application program directory (C:\ProgramData)
Extensive use of GetProcAddress (often used to hide API calls)
Found decision node followed by non-executed suspicious APIs
Found potential string decryption / allocating functions
IP address seen in connection with other malware
Internet Provider seen in connection with other malware
JA3 SSL client fingerprint seen in connection with other malware
May check the online IP address of the machine
May sleep (evasive loops) to hinder dynamic analysis
One or more processes crash
Queries information about the installed CPU (vendor, model number etc)
Queries the volume information (name, serial number etc) of a device
Sample execution stops while process was sleeping (likely an evasion)
Sample file is different than original file name gathered from version info
Sigma detected: CurrentVersion Autorun Keys Modification
Uses 32bit PE files
Uses Microsoft's Enhanced Cryptographic Provider
Uses a known web browser user agent for HTTP communication
Uses code obfuscation techniques (call, push, ret)
Uses the keyboard layout for branch decision (may execute only for specific keyboard layouts)
Uses the system / local time for branch decision (may execute only at specific dates)
Yara detected Credential Stealer
Yara signature match

Classification

Process Tree

  • System is w10x64
  • file.exe (PID: 7328 cmdline: "C:\Users\user\Desktop\file.exe" MD5: 265D5B8B9F603F0F5EF62F2C27449607)
    • schtasks.exe (PID: 7396 cmdline: schtasks /create /f /RU "user" /tr "C:\ProgramData\MPGPH131\MPGPH131.exe" /tn "MPGPH131 HR" /sc HOURLY /rl HIGHEST MD5: 48C2FE20575769DE916F48EF0676A965)
      • conhost.exe (PID: 7404 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)
    • schtasks.exe (PID: 7444 cmdline: schtasks /create /f /RU "user" /tr "C:\ProgramData\MPGPH131\MPGPH131.exe" /tn "MPGPH131 LG" /sc ONLOGON /rl HIGHEST MD5: 48C2FE20575769DE916F48EF0676A965)
      • conhost.exe (PID: 7452 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)
    • WerFault.exe (PID: 7548 cmdline: C:\Windows\SysWOW64\WerFault.exe -u -p 7328 -s 784 MD5: C31336C1EFC2CCB44B4326EA793040F2)
    • WerFault.exe (PID: 7720 cmdline: C:\Windows\SysWOW64\WerFault.exe -u -p 7328 -s 960 MD5: C31336C1EFC2CCB44B4326EA793040F2)
    • WerFault.exe (PID: 7832 cmdline: C:\Windows\SysWOW64\WerFault.exe -u -p 7328 -s 1008 MD5: C31336C1EFC2CCB44B4326EA793040F2)
    • WerFault.exe (PID: 7928 cmdline: C:\Windows\SysWOW64\WerFault.exe -u -p 7328 -s 996 MD5: C31336C1EFC2CCB44B4326EA793040F2)
    • WerFault.exe (PID: 8060 cmdline: C:\Windows\SysWOW64\WerFault.exe -u -p 7328 -s 1020 MD5: C31336C1EFC2CCB44B4326EA793040F2)
    • WerFault.exe (PID: 8140 cmdline: C:\Windows\SysWOW64\WerFault.exe -u -p 7328 -s 1416 MD5: C31336C1EFC2CCB44B4326EA793040F2)
    • WerFault.exe (PID: 6580 cmdline: C:\Windows\SysWOW64\WerFault.exe -u -p 7328 -s 1828 MD5: C31336C1EFC2CCB44B4326EA793040F2)
    • WerFault.exe (PID: 5480 cmdline: C:\Windows\SysWOW64\WerFault.exe -u -p 7328 -s 1848 MD5: C31336C1EFC2CCB44B4326EA793040F2)
    • WerFault.exe (PID: 7524 cmdline: C:\Windows\SysWOW64\WerFault.exe -u -p 7328 -s 1808 MD5: C31336C1EFC2CCB44B4326EA793040F2)
    • WerFault.exe (PID: 5852 cmdline: C:\Windows\SysWOW64\WerFault.exe -u -p 7328 -s 1940 MD5: C31336C1EFC2CCB44B4326EA793040F2)
    • WerFault.exe (PID: 7712 cmdline: C:\Windows\SysWOW64\WerFault.exe -u -p 7328 -s 1948 MD5: C31336C1EFC2CCB44B4326EA793040F2)
  • MPGPH131.exe (PID: 7584 cmdline: C:\ProgramData\MPGPH131\MPGPH131.exe MD5: 265D5B8B9F603F0F5EF62F2C27449607)
  • MPGPH131.exe (PID: 7592 cmdline: C:\ProgramData\MPGPH131\MPGPH131.exe MD5: 265D5B8B9F603F0F5EF62F2C27449607)
  • RageMP131.exe (PID: 7988 cmdline: "C:\Users\user\AppData\Local\RageMP131\RageMP131.exe" MD5: 265D5B8B9F603F0F5EF62F2C27449607)
    • WerFault.exe (PID: 7440 cmdline: C:\Windows\SysWOW64\WerFault.exe -u -p 7988 -s 820 MD5: C31336C1EFC2CCB44B4326EA793040F2)
    • WerFault.exe (PID: 7656 cmdline: C:\Windows\SysWOW64\WerFault.exe -u -p 7988 -s 940 MD5: C31336C1EFC2CCB44B4326EA793040F2)
    • WerFault.exe (PID: 736 cmdline: C:\Windows\SysWOW64\WerFault.exe -u -p 7988 -s 952 MD5: C31336C1EFC2CCB44B4326EA793040F2)
  • RageMP131.exe (PID: 2352 cmdline: "C:\Users\user\AppData\Local\RageMP131\RageMP131.exe" MD5: 265D5B8B9F603F0F5EF62F2C27449607)
  • cleanup

Malware Configuration

No configs have been found

Yara Signatures

Dropped Files

SourceRuleDescriptionAuthorStrings
C:\Users\user\AppData\Local\Temp\dSyaNbAby9QXs4RBu3VN33H.zipJoeSecurity_RiseProStealerYara detected RisePro StealerJoe Security
    C:\Users\user\AppData\Local\Temp\e_uwnYJDOrnylP4tGD1vKSo.zipJoeSecurity_RiseProStealerYara detected RisePro StealerJoe Security
      C:\Users\user\AppData\Local\Temp\OfCx6VeglYVpWTwI9NddWAo.zipJoeSecurity_RiseProStealerYara detected RisePro StealerJoe Security

        Memory Dumps

        SourceRuleDescriptionAuthorStrings
        00000011.00000003.2305959394.0000000003058000.00000004.00000020.00020000.00000000.sdmpJoeSecurity_CredentialStealerYara detected Credential StealerJoe Security
          00000011.00000003.2307637364.0000000007A99000.00000004.00000020.00020000.00000000.sdmpJoeSecurity_RiseProStealerYara detected RisePro StealerJoe Security
            00000011.00000002.2350759257.0000000004A1C000.00000040.00000020.00020000.00000000.sdmpWindows_Trojan_RedLineStealer_ed346e4cunknownunknown
            • 0x798:$a: 55 8B EC 8B 45 14 56 57 8B 7D 08 33 F6 89 47 0C 39 75 10 76 15 8B
            00000000.00000003.2253726342.0000000007A6D000.00000004.00000020.00020000.00000000.sdmpJoeSecurity_RiseProStealerYara detected RisePro StealerJoe Security
              00000000.00000002.2258287784.0000000007A6D000.00000004.00000020.00020000.00000000.sdmpJoeSecurity_RiseProStealerYara detected RisePro StealerJoe Security
                Click to see the 43 entries

                Unpacked PEs

                SourceRuleDescriptionAuthorStrings
                8.3.MPGPH131.exe.4a60000.0.raw.unpackJoeSecurity_RiseProStealerYara detected RisePro StealerJoe Security
                  0.2.file.exe.4ac0e67.1.raw.unpackJoeSecurity_RiseProStealerYara detected RisePro StealerJoe Security
                    26.2.RageMP131.exe.400000.0.unpackJoeSecurity_RiseProStealerYara detected RisePro StealerJoe Security
                      8.2.MPGPH131.exe.400000.0.raw.unpackJoeSecurity_RiseProStealerYara detected RisePro StealerJoe Security
                        9.3.MPGPH131.exe.4a10000.0.raw.unpackJoeSecurity_RiseProStealerYara detected RisePro StealerJoe Security
                          Click to see the 15 entries

                          Sigma Signatures

                          System Summary

                          barindex
                          Sigma detected: CurrentVersion Autorun Keys Modification
                          Source: Registry Key setAuthor: Victor Sergeev, Daniil Yugoslavskiy, Gleb Sukhodolskiy, Timur Zinniatullin, oscd.community, Tim Shelton, frack113 (split): Data: Details: C:\Users\user\AppData\Local\RageMP131\RageMP131.exe, EventID: 13, EventType: SetValue, Image: C:\Users\user\Desktop\file.exe, ProcessId: 7328, TargetObject: HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\RageMP131

                          Snort Signatures

                          Timestamp:04/18/24-10:30:16.680980
                          SID:2046269
                          Source Port:49740
                          Destination Port:58709
                          Protocol:TCP
                          Classtype:A Network Trojan was detected
                          Timestamp:04/18/24-10:29:08.862568
                          SID:2046267
                          Source Port:58709
                          Destination Port:49730
                          Protocol:TCP
                          Classtype:A Network Trojan was detected
                          Timestamp:04/18/24-10:29:04.926205
                          SID:2046266
                          Source Port:58709
                          Destination Port:49730
                          Protocol:TCP
                          Classtype:A Network Trojan was detected
                          Timestamp:04/18/24-10:29:38.779297
                          SID:2046269
                          Source Port:49730
                          Destination Port:58709
                          Protocol:TCP
                          Classtype:A Network Trojan was detected
                          Timestamp:04/18/24-10:30:10.701508
                          SID:2046269
                          Source Port:49746
                          Destination Port:58709
                          Protocol:TCP
                          Classtype:A Network Trojan was detected
                          Timestamp:04/18/24-10:30:15.638714
                          SID:2046269
                          Source Port:49747
                          Destination Port:58709
                          Protocol:TCP
                          Classtype:A Network Trojan was detected
                          Timestamp:04/18/24-10:29:04.737548
                          SID:2049060
                          Source Port:49730
                          Destination Port:58709
                          Protocol:TCP
                          Classtype:A Network Trojan was detected
                          Timestamp:04/18/24-10:30:04.701296
                          SID:2046269
                          Source Port:49739
                          Destination Port:58709
                          Protocol:TCP
                          Classtype:A Network Trojan was detected
                          Timestamp:04/18/24-10:29:35.017563
                          SID:2046267
                          Source Port:58709
                          Destination Port:49739
                          Protocol:TCP
                          Classtype:A Network Trojan was detected
                          Timestamp:04/18/24-10:30:09.489545
                          SID:2046266
                          Source Port:58709
                          Destination Port:49747
                          Protocol:TCP
                          Classtype:A Network Trojan was detected
                          Timestamp:04/18/24-10:29:31.522217
                          SID:2046266
                          Source Port:58709
                          Destination Port:49739
                          Protocol:TCP
                          Classtype:A Network Trojan was detected
                          Timestamp:04/18/24-10:29:40.034897
                          SID:2046266
                          Source Port:58709
                          Destination Port:49740
                          Protocol:TCP
                          Classtype:A Network Trojan was detected
                          Timestamp:04/18/24-10:30:07.590057
                          SID:2046266
                          Source Port:58709
                          Destination Port:49746
                          Protocol:TCP
                          Classtype:A Network Trojan was detected
                          Timestamp:04/18/24-10:30:11.578830
                          SID:2046267
                          Source Port:58709
                          Destination Port:49746
                          Protocol:TCP
                          Classtype:A Network Trojan was detected
                          Timestamp:04/18/24-10:30:11.622681
                          SID:2046267
                          Source Port:58709
                          Destination Port:49747
                          Protocol:TCP
                          Classtype:A Network Trojan was detected

                          Joe Sandbox Signatures

                          Click to jump to signature section

                          Show All Signature Results

                          AV Detection

                          barindex
                          Antivirus / Scanner detection for submitted sample
                          Source: file.exeAvira: detected
                          Antivirus detection for URL or domain
                          Source: http://193.233.132.167/cost/lenin.exeURL Reputation: Label: malware
                          Antivirus detection for dropped file
                          Source: C:\ProgramData\MPGPH131\MPGPH131.exeAvira: detection malicious, Label: HEUR/AGEN.1310450
                          Multi AV Scanner detection for domain / URL
                          Source: http://147.45.47.102:57893/hera/amadka.exeVirustotal: Detection: 15%Perma Link
                          Source: http://193.233.132.167/cost/go.exeVirustotal: Detection: 24%Perma Link
                          Source: http://193.233.132.167/cost/go.exeeVirustotal: Detection: 23%Perma Link
                          Source: http://193.233.132.167/cost/lenin.exe192.168.0Virustotal: Detection: 24%Perma Link
                          Source: http://193.233.132.167/cost/go.exeroVirustotal: Detection: 23%Perma Link
                          Multi AV Scanner detection for dropped file
                          Source: C:\ProgramData\MPGPH131\MPGPH131.exeReversingLabs: Detection: 47%
                          Source: C:\ProgramData\MPGPH131\MPGPH131.exeVirustotal: Detection: 47%Perma Link
                          Source: C:\Users\user\AppData\Local\RageMP131\RageMP131.exeReversingLabs: Detection: 47%
                          Source: C:\Users\user\AppData\Local\RageMP131\RageMP131.exeVirustotal: Detection: 47%Perma Link
                          Multi AV Scanner detection for submitted file
                          Source: file.exeReversingLabs: Detection: 47%
                          Machine Learning detection for dropped file
                          Source: C:\ProgramData\MPGPH131\MPGPH131.exeJoe Sandbox ML: detected
                          Machine Learning detection for sample
                          Source: file.exeJoe Sandbox ML: detected
                          Source: C:\Users\user\Desktop\file.exeCode function: 0_2_0041F3EB CryptUnprotectData,LocalFree,0_2_0041F3EB
                          Source: C:\ProgramData\MPGPH131\MPGPH131.exeCode function: 8_2_0041F3EB CryptUnprotectData,LocalFree,8_2_0041F3EB

                          Compliance

                          barindex
                          Detected unpacking (overwrites its own PE header)
                          Source: C:\Users\user\Desktop\file.exeUnpacked PE file: 0.2.file.exe.400000.0.unpack
                          Source: C:\ProgramData\MPGPH131\MPGPH131.exeUnpacked PE file: 9.2.MPGPH131.exe.400000.0.unpack
                          Source: C:\Users\user\AppData\Local\RageMP131\RageMP131.exeUnpacked PE file: 17.2.RageMP131.exe.400000.0.unpack
                          Source: C:\Users\user\AppData\Local\RageMP131\RageMP131.exeUnpacked PE file: 26.2.RageMP131.exe.400000.0.unpack
                          Source: file.exeStatic PE information: RELOCS_STRIPPED, EXECUTABLE_IMAGE, 32BIT_MACHINE
                          Source: C:\Users\user\Desktop\file.exeFile opened: C:\Windows\SysWOW64\msvcr100.dllJump to behavior
                          Source: unknownHTTPS traffic detected: 34.117.186.192:443 -> 192.168.2.4:49737 version: TLS 1.2
                          Source: unknownHTTPS traffic detected: 104.26.4.15:443 -> 192.168.2.4:49738 version: TLS 1.2
                          Source: unknownHTTPS traffic detected: 34.117.186.192:443 -> 192.168.2.4:49741 version: TLS 1.2
                          Source: unknownHTTPS traffic detected: 104.26.4.15:443 -> 192.168.2.4:49742 version: TLS 1.2
                          Source: unknownHTTPS traffic detected: 34.117.186.192:443 -> 192.168.2.4:49743 version: TLS 1.2
                          Source: unknownHTTPS traffic detected: 104.26.4.15:443 -> 192.168.2.4:49744 version: TLS 1.2
                          Source: unknownHTTPS traffic detected: 34.117.186.192:443 -> 192.168.2.4:49748 version: TLS 1.2
                          Source: unknownHTTPS traffic detected: 34.117.186.192:443 -> 192.168.2.4:49749 version: TLS 1.2
                          Source: unknownHTTPS traffic detected: 104.26.4.15:443 -> 192.168.2.4:49750 version: TLS 1.2
                          Source: unknownHTTPS traffic detected: 104.26.4.15:443 -> 192.168.2.4:49751 version: TLS 1.2
                          Source: Binary string: C:\kiyecatuvoxule\xawip-har\kizipinayuzeh.pdb source: file.exe, RageMP131.exe.0.dr, MPGPH131.exe.0.dr
                          Source: Binary string: (C:\kiyecatuvoxule\xawip-har\kizipinayuzeh.pdb source: file.exe, RageMP131.exe.0.dr, MPGPH131.exe.0.dr
                          Source: C:\Users\user\Desktop\file.exeCode function: 0_2_0040E7B0 CreateDirectoryA,FindFirstFileA,CreateDirectoryA,CopyFileA,FindNextFileA,FindClose,GetLastError,GetLastError,CreateDirectoryA,SHGetFolderPathA,CreateDirectoryA,CreateDirectoryA,CreateDirectoryA,CreateDirectoryA,0_2_0040E7B0
                          Source: C:\Users\user\Desktop\file.exeCode function: 0_2_004DB1CB FindClose,FindFirstFileExW,GetLastError,0_2_004DB1CB
                          Source: C:\Users\user\Desktop\file.exeCode function: 0_2_0040B300 FindFirstFileA,SetFileAttributesA,DeleteFileA,FindNextFileA,FindClose,GetLastError,SetFileAttributesA,GetLastError,RemoveDirectoryA,GetLastError,GetLastError,std::_Throw_Cpp_error,std::_Throw_Cpp_error,0_2_0040B300
                          Source: C:\Users\user\Desktop\file.exeCode function: 0_2_0041FA10 FindFirstFileA,FindNextFileA,GetLastError,FindClose,0_2_0041FA10
                          Source: C:\Users\user\Desktop\file.exeCode function: 0_2_0043EAEB FindFirstFileA,FindNextFileA,FindClose,CreateDirectoryA,CreateDirectoryA,CreateDirectoryA,CopyFileA,CreateDirectoryA,CopyFileA,CopyFileA,0_2_0043EAEB
                          Source: C:\ProgramData\MPGPH131\MPGPH131.exeCode function: 8_2_0040E7B0 FindFirstFileA,CreateDirectoryA,CopyFileA,FindNextFileA,FindClose,GetLastError,GetLastError,SHGetFolderPathA,CreateDirectoryA,CreateDirectoryA,CreateDirectoryA,CreateDirectoryA,8_2_0040E7B0
                          Source: C:\ProgramData\MPGPH131\MPGPH131.exeCode function: 8_2_0043CA90 CreateThread,CredEnumerateA,SHGetFolderPathA,CreateThread,FindFirstFileA,FindNextFileA,FindClose,CreateDirectoryA,CreateDirectoryA,CreateDirectoryA,CopyFileA,CreateDirectoryA,CopyFileA,CopyFileA,8_2_0043CA90
                          Source: C:\ProgramData\MPGPH131\MPGPH131.exeCode function: 8_2_004DB1CB FindClose,FindFirstFileExW,GetLastError,8_2_004DB1CB
                          Source: C:\ProgramData\MPGPH131\MPGPH131.exeCode function: 8_2_004DB251 GetFileAttributesExW,GetLastError,FindFirstFileW,GetLastError,FindClose,___std_fs_open_handle@16,GetFileInformationByHandleEx,GetLastError,GetFileInformationByHandleEx,GetFileInformationByHandleEx,8_2_004DB251
                          Source: C:\ProgramData\MPGPH131\MPGPH131.exeCode function: 8_2_0040B300 FindFirstFileA,SetFileAttributesA,DeleteFileA,FindNextFileA,FindClose,GetLastError,SetFileAttributesA,GetLastError,RemoveDirectoryA,GetLastError,GetLastError,std::_Throw_Cpp_error,std::_Throw_Cpp_error,8_2_0040B300

                          Networking

                          barindex
                          Snort IDS alert for network traffic
                          Source: TrafficSnort IDS: 2049060 ET TROJAN RisePro TCP Heartbeat Packet 192.168.2.4:49730 -> 147.45.47.93:58709
                          Source: TrafficSnort IDS: 2046266 ET TROJAN [ANY.RUN] RisePro TCP (Token) 147.45.47.93:58709 -> 192.168.2.4:49730
                          Source: TrafficSnort IDS: 2046269 ET TROJAN [ANY.RUN] RisePro TCP (Activity) 192.168.2.4:49730 -> 147.45.47.93:58709
                          Source: TrafficSnort IDS: 2046267 ET TROJAN [ANY.RUN] RisePro TCP (External IP) 147.45.47.93:58709 -> 192.168.2.4:49730
                          Source: TrafficSnort IDS: 2046266 ET TROJAN [ANY.RUN] RisePro TCP (Token) 147.45.47.93:58709 -> 192.168.2.4:49739
                          Source: TrafficSnort IDS: 2046269 ET TROJAN [ANY.RUN] RisePro TCP (Activity) 192.168.2.4:49739 -> 147.45.47.93:58709
                          Source: TrafficSnort IDS: 2046267 ET TROJAN [ANY.RUN] RisePro TCP (External IP) 147.45.47.93:58709 -> 192.168.2.4:49739
                          Source: TrafficSnort IDS: 2046266 ET TROJAN [ANY.RUN] RisePro TCP (Token) 147.45.47.93:58709 -> 192.168.2.4:49740
                          Source: TrafficSnort IDS: 2046269 ET TROJAN [ANY.RUN] RisePro TCP (Activity) 192.168.2.4:49740 -> 147.45.47.93:58709
                          Source: TrafficSnort IDS: 2046266 ET TROJAN [ANY.RUN] RisePro TCP (Token) 147.45.47.93:58709 -> 192.168.2.4:49746
                          Source: TrafficSnort IDS: 2046266 ET TROJAN [ANY.RUN] RisePro TCP (Token) 147.45.47.93:58709 -> 192.168.2.4:49747
                          Source: TrafficSnort IDS: 2046269 ET TROJAN [ANY.RUN] RisePro TCP (Activity) 192.168.2.4:49746 -> 147.45.47.93:58709
                          Source: TrafficSnort IDS: 2046267 ET TROJAN [ANY.RUN] RisePro TCP (External IP) 147.45.47.93:58709 -> 192.168.2.4:49746
                          Source: TrafficSnort IDS: 2046267 ET TROJAN [ANY.RUN] RisePro TCP (External IP) 147.45.47.93:58709 -> 192.168.2.4:49747
                          Source: TrafficSnort IDS: 2046269 ET TROJAN [ANY.RUN] RisePro TCP (Activity) 192.168.2.4:49747 -> 147.45.47.93:58709
                          Connects to many ports of the same IP (likely port scanning)
                          Source: global trafficTCP traffic: 147.45.47.93 ports 0,5,7,8,58709,9
                          Source: global trafficTCP traffic: 192.168.2.4:49730 -> 147.45.47.93:58709
                          Source: Joe Sandbox ViewIP Address: 34.117.186.192 34.117.186.192
                          Source: Joe Sandbox ViewIP Address: 34.117.186.192 34.117.186.192
                          Source: Joe Sandbox ViewIP Address: 147.45.47.93 147.45.47.93
                          Source: Joe Sandbox ViewIP Address: 104.26.4.15 104.26.4.15
                          Source: Joe Sandbox ViewASN Name: FREE-NET-ASFREEnetEU FREE-NET-ASFREEnetEU
                          Source: Joe Sandbox ViewJA3 fingerprint: a0e9f5d64349fb13191bc781f81f42e1
                          Source: unknownDNS query: name: ipinfo.io
                          Source: unknownDNS query: name: ipinfo.io
                          Source: unknownDNS query: name: ipinfo.io
                          Source: unknownDNS query: name: ipinfo.io
                          Source: global trafficHTTP traffic detected: GET /widget/demo/81.181.57.52 HTTP/1.1Connection: Keep-AliveReferer: https://ipinfo.io/User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/119.0.0.0 Safari/537.36Host: ipinfo.io
                          Source: global trafficHTTP traffic detected: GET /demo/home.php?s=81.181.57.52 HTTP/1.1Connection: Keep-AliveContent-Type: application/x-www-form-urlencodedUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/119.0.0.0 Safari/537.36Host: db-ip.com
                          Source: global trafficHTTP traffic detected: GET /widget/demo/81.181.57.52 HTTP/1.1Connection: Keep-AliveReferer: https://ipinfo.io/User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/119.0.0.0 Safari/537.36Host: ipinfo.io
                          Source: global trafficHTTP traffic detected: GET /demo/home.php?s=81.181.57.52 HTTP/1.1Connection: Keep-AliveContent-Type: application/x-www-form-urlencodedUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/119.0.0.0 Safari/537.36Host: db-ip.com
                          Source: global trafficHTTP traffic detected: GET /widget/demo/81.181.57.52 HTTP/1.1Connection: Keep-AliveReferer: https://ipinfo.io/User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/119.0.0.0 Safari/537.36Host: ipinfo.io
                          Source: global trafficHTTP traffic detected: GET /demo/home.php?s=81.181.57.52 HTTP/1.1Connection: Keep-AliveContent-Type: application/x-www-form-urlencodedUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/119.0.0.0 Safari/537.36Host: db-ip.com
                          Source: global trafficHTTP traffic detected: GET /widget/demo/81.181.57.52 HTTP/1.1Connection: Keep-AliveReferer: https://ipinfo.io/User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/119.0.0.0 Safari/537.36Host: ipinfo.io
                          Source: global trafficHTTP traffic detected: GET /widget/demo/81.181.57.52 HTTP/1.1Connection: Keep-AliveReferer: https://ipinfo.io/User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/119.0.0.0 Safari/537.36Host: ipinfo.io
                          Source: global trafficHTTP traffic detected: GET /demo/home.php?s=81.181.57.52 HTTP/1.1Connection: Keep-AliveContent-Type: application/x-www-form-urlencodedUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/119.0.0.0 Safari/537.36Host: db-ip.com
                          Source: global trafficHTTP traffic detected: GET /demo/home.php?s=81.181.57.52 HTTP/1.1Connection: Keep-AliveContent-Type: application/x-www-form-urlencodedUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/119.0.0.0 Safari/537.36Host: db-ip.com
                          Source: unknownTCP traffic detected without corresponding DNS query: 147.45.47.93
                          Source: unknownTCP traffic detected without corresponding DNS query: 147.45.47.93
                          Source: unknownTCP traffic detected without corresponding DNS query: 147.45.47.93
                          Source: unknownTCP traffic detected without corresponding DNS query: 147.45.47.93
                          Source: unknownTCP traffic detected without corresponding DNS query: 147.45.47.93
                          Source: unknownTCP traffic detected without corresponding DNS query: 147.45.47.93
                          Source: unknownTCP traffic detected without corresponding DNS query: 147.45.47.93
                          Source: unknownTCP traffic detected without corresponding DNS query: 147.45.47.93
                          Source: unknownTCP traffic detected without corresponding DNS query: 147.45.47.93
                          Source: unknownTCP traffic detected without corresponding DNS query: 147.45.47.93
                          Source: unknownTCP traffic detected without corresponding DNS query: 147.45.47.93
                          Source: unknownTCP traffic detected without corresponding DNS query: 147.45.47.93
                          Source: unknownTCP traffic detected without corresponding DNS query: 147.45.47.93
                          Source: unknownTCP traffic detected without corresponding DNS query: 147.45.47.93
                          Source: unknownTCP traffic detected without corresponding DNS query: 147.45.47.93
                          Source: unknownTCP traffic detected without corresponding DNS query: 147.45.47.93
                          Source: unknownTCP traffic detected without corresponding DNS query: 147.45.47.93
                          Source: unknownTCP traffic detected without corresponding DNS query: 147.45.47.93
                          Source: unknownTCP traffic detected without corresponding DNS query: 147.45.47.93
                          Source: unknownTCP traffic detected without corresponding DNS query: 147.45.47.93
                          Source: unknownTCP traffic detected without corresponding DNS query: 147.45.47.93
                          Source: unknownTCP traffic detected without corresponding DNS query: 147.45.47.93
                          Source: unknownTCP traffic detected without corresponding DNS query: 147.45.47.93
                          Source: unknownTCP traffic detected without corresponding DNS query: 147.45.47.93
                          Source: unknownTCP traffic detected without corresponding DNS query: 147.45.47.93
                          Source: unknownTCP traffic detected without corresponding DNS query: 147.45.47.93
                          Source: unknownTCP traffic detected without corresponding DNS query: 147.45.47.93
                          Source: unknownTCP traffic detected without corresponding DNS query: 147.45.47.93
                          Source: unknownTCP traffic detected without corresponding DNS query: 147.45.47.93
                          Source: unknownTCP traffic detected without corresponding DNS query: 147.45.47.93
                          Source: unknownTCP traffic detected without corresponding DNS query: 147.45.47.93
                          Source: unknownTCP traffic detected without corresponding DNS query: 147.45.47.93
                          Source: unknownTCP traffic detected without corresponding DNS query: 147.45.47.93
                          Source: unknownTCP traffic detected without corresponding DNS query: 147.45.47.93
                          Source: unknownTCP traffic detected without corresponding DNS query: 147.45.47.93
                          Source: unknownTCP traffic detected without corresponding DNS query: 147.45.47.93
                          Source: unknownTCP traffic detected without corresponding DNS query: 147.45.47.93
                          Source: unknownTCP traffic detected without corresponding DNS query: 147.45.47.93
                          Source: unknownTCP traffic detected without corresponding DNS query: 147.45.47.93
                          Source: unknownTCP traffic detected without corresponding DNS query: 147.45.47.93
                          Source: unknownTCP traffic detected without corresponding DNS query: 147.45.47.93
                          Source: unknownTCP traffic detected without corresponding DNS query: 147.45.47.93
                          Source: unknownTCP traffic detected without corresponding DNS query: 147.45.47.93
                          Source: unknownTCP traffic detected without corresponding DNS query: 147.45.47.93
                          Source: unknownTCP traffic detected without corresponding DNS query: 147.45.47.93
                          Source: unknownTCP traffic detected without corresponding DNS query: 147.45.47.93
                          Source: unknownTCP traffic detected without corresponding DNS query: 147.45.47.93
                          Source: unknownTCP traffic detected without corresponding DNS query: 147.45.47.93
                          Source: unknownTCP traffic detected without corresponding DNS query: 147.45.47.93
                          Source: unknownTCP traffic detected without corresponding DNS query: 147.45.47.93
                          Source: C:\Users\user\Desktop\file.exeCode function: 0_2_0041E220 recv,setsockopt,recv,WSAGetLastError,recv,recv,setsockopt,recv,recv,recv,__Xtime_get_ticks,__ehfuncinfo$??2@YAPAXIABUnothrow_t@std@@@Z,Sleep,Sleep,0_2_0041E220
                          Source: global trafficHTTP traffic detected: GET /widget/demo/81.181.57.52 HTTP/1.1Connection: Keep-AliveReferer: https://ipinfo.io/User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/119.0.0.0 Safari/537.36Host: ipinfo.io
                          Source: global trafficHTTP traffic detected: GET /demo/home.php?s=81.181.57.52 HTTP/1.1Connection: Keep-AliveContent-Type: application/x-www-form-urlencodedUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/119.0.0.0 Safari/537.36Host: db-ip.com
                          Source: global trafficHTTP traffic detected: GET /widget/demo/81.181.57.52 HTTP/1.1Connection: Keep-AliveReferer: https://ipinfo.io/User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/119.0.0.0 Safari/537.36Host: ipinfo.io
                          Source: global trafficHTTP traffic detected: GET /demo/home.php?s=81.181.57.52 HTTP/1.1Connection: Keep-AliveContent-Type: application/x-www-form-urlencodedUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/119.0.0.0 Safari/537.36Host: db-ip.com
                          Source: global trafficHTTP traffic detected: GET /widget/demo/81.181.57.52 HTTP/1.1Connection: Keep-AliveReferer: https://ipinfo.io/User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/119.0.0.0 Safari/537.36Host: ipinfo.io
                          Source: global trafficHTTP traffic detected: GET /demo/home.php?s=81.181.57.52 HTTP/1.1Connection: Keep-AliveContent-Type: application/x-www-form-urlencodedUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/119.0.0.0 Safari/537.36Host: db-ip.com
                          Source: global trafficHTTP traffic detected: GET /widget/demo/81.181.57.52 HTTP/1.1Connection: Keep-AliveReferer: https://ipinfo.io/User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/119.0.0.0 Safari/537.36Host: ipinfo.io
                          Source: global trafficHTTP traffic detected: GET /widget/demo/81.181.57.52 HTTP/1.1Connection: Keep-AliveReferer: https://ipinfo.io/User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/119.0.0.0 Safari/537.36Host: ipinfo.io
                          Source: global trafficHTTP traffic detected: GET /demo/home.php?s=81.181.57.52 HTTP/1.1Connection: Keep-AliveContent-Type: application/x-www-form-urlencodedUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/119.0.0.0 Safari/537.36Host: db-ip.com
                          Source: global trafficHTTP traffic detected: GET /demo/home.php?s=81.181.57.52 HTTP/1.1Connection: Keep-AliveContent-Type: application/x-www-form-urlencodedUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/119.0.0.0 Safari/537.36Host: db-ip.com
                          Source: unknownDNS traffic detected: queries for: ipinfo.io
                          Source: RageMP131.exe, 0000001A.00000002.2603079344.0000000002FC6000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://147.45.47.102:57893/hera/amadka.exe
                          Source: RageMP131.exe, 00000011.00000002.2349974931.0000000003002000.00000004.00000020.00020000.00000000.sdmp, RageMP131.exe, 00000011.00000003.2307237063.0000000003002000.00000004.00000020.00020000.00000000.sdmp, RageMP131.exe, 00000011.00000003.2305959394.0000000003002000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://147.45.47.102:57893/hera/amadka.exe.52
                          Source: RageMP131.exe, 00000011.00000002.2353080317.0000000007A88000.00000004.00000020.00020000.00000000.sdmp, RageMP131.exe, 00000011.00000003.2343251890.0000000007A88000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://147.45.47.102:57893/hera/amadka.exeDatae
                          Source: file.exe, 00000000.00000002.2258233237.0000000007A40000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://147.45.47.102:57893/hera/amadka.exe_prof
                          Source: RageMP131.exe, 0000001A.00000003.2600149129.0000000007A92000.00000004.00000020.00020000.00000000.sdmp, RageMP131.exe, 0000001A.00000002.2604583006.0000000007A92000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://147.45.47.102:57893/hera/amadka.exedatD
                          Source: file.exe, 00000000.00000003.2072010146.00000000030B6000.00000004.00000020.00020000.00000000.sdmp, file.exe, 00000000.00000002.2256177341.00000000030B6000.00000004.00000020.00020000.00000000.sdmp, file.exe, 00000000.00000003.2068786897.00000000030B6000.00000004.00000020.00020000.00000000.sdmp, file.exe, 00000000.00000003.2023096366.00000000030B6000.00000004.00000020.00020000.00000000.sdmp, file.exe, 00000000.00000002.2258233237.0000000007A40000.00000004.00000020.00020000.00000000.sdmp, RageMP131.exe, 00000011.00000002.2349974931.0000000003002000.00000004.00000020.00020000.00000000.sdmp, RageMP131.exe, 00000011.00000003.2307237063.0000000003002000.00000004.00000020.00020000.00000000.sdmp, RageMP131.exe, 00000011.00000003.2305959394.0000000003002000.00000004.00000020.00020000.00000000.sdmp, RageMP131.exe, 0000001A.00000003.2600149129.0000000007A92000.00000004.00000020.00020000.00000000.sdmp, RageMP131.exe, 0000001A.00000002.2604583006.0000000007A92000.00000004.00000020.00020000.00000000.sdmp, RageMP131.exe, 0000001A.00000003.2600250501.0000000002FC6000.00000004.00000020.00020000.00000000.sdmp, RageMP131.exe, 0000001A.00000002.2603079344.0000000002FC6000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://193.233.132.167/cost/go.exe
                          Source: RageMP131.exe, 00000011.00000002.2349974931.0000000003002000.00000004.00000020.00020000.00000000.sdmp, RageMP131.exe, 00000011.00000003.2307237063.0000000003002000.00000004.00000020.00020000.00000000.sdmp, RageMP131.exe, 00000011.00000003.2305959394.0000000003002000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://193.233.132.167/cost/go.exee
                          Source: file.exe, 00000000.00000002.2258233237.0000000007A40000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://193.233.132.167/cost/go.exeoinxs
                          Source: RageMP131.exe, 0000001A.00000003.2600149129.0000000007A92000.00000004.00000020.00020000.00000000.sdmp, RageMP131.exe, 0000001A.00000002.2604583006.0000000007A92000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://193.233.132.167/cost/go.exero
                          Source: file.exe, 00000000.00000003.2023096366.00000000030B6000.00000004.00000020.00020000.00000000.sdmp, file.exe, 00000000.00000002.2258233237.0000000007A40000.00000004.00000020.00020000.00000000.sdmp, RageMP131.exe, 00000011.00000002.2349974931.0000000003002000.00000004.00000020.00020000.00000000.sdmp, RageMP131.exe, 00000011.00000002.2353080317.0000000007A88000.00000004.00000020.00020000.00000000.sdmp, RageMP131.exe, 00000011.00000003.2343251890.0000000007A88000.00000004.00000020.00020000.00000000.sdmp, RageMP131.exe, 00000011.00000003.2307237063.0000000003002000.00000004.00000020.00020000.00000000.sdmp, RageMP131.exe, 00000011.00000003.2305959394.0000000003002000.00000004.00000020.00020000.00000000.sdmp, RageMP131.exe, 0000001A.00000003.2600149129.0000000007A92000.00000004.00000020.00020000.00000000.sdmp, RageMP131.exe, 0000001A.00000002.2604583006.0000000007A92000.00000004.00000020.00020000.00000000.sdmp, RageMP131.exe, 0000001A.00000003.2600250501.0000000002FC6000.00000004.00000020.00020000.00000000.sdmp, RageMP131.exe, 0000001A.00000002.2603079344.0000000002FC6000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://193.233.132.167/cost/lenin.exe
                          Source: RageMP131.exe, 0000001A.00000003.2600250501.0000000002FC6000.00000004.00000020.00020000.00000000.sdmp, RageMP131.exe, 0000001A.00000002.2603079344.0000000002FC6000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://193.233.132.167/cost/lenin.exe192.168.0
                          Source: RageMP131.exe, 00000011.00000002.2349974931.0000000003002000.00000004.00000020.00020000.00000000.sdmp, RageMP131.exe, 00000011.00000003.2307237063.0000000003002000.00000004.00000020.00020000.00000000.sdmp, RageMP131.exe, 00000011.00000003.2305959394.0000000003002000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://193.233.132.167/cost/lenin.exepro_botF
                          Source: file.exe, 00000000.00000002.2258233237.0000000007A40000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://193.233.132.167/cost/lenin.exese
                          Source: RageMP131.exe, 0000001A.00000003.2600149129.0000000007A92000.00000004.00000020.00020000.00000000.sdmp, RageMP131.exe, 0000001A.00000002.2604583006.0000000007A92000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://193.233.132.167/cost/lenin.exe~
                          Source: MPGPH131.exe, 00000009.00000002.2554347578.0000000002EAC000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://crl.mtO
                          Source: Amcache.hve.7.drString found in binary or memory: http://upx.sf.net
                          Source: file.exe, file.exe, 00000000.00000003.1698876622.0000000004C20000.00000004.00001000.00020000.00000000.sdmp, file.exe, 00000000.00000002.2254819923.0000000000400000.00000040.00000001.01000000.00000003.sdmp, file.exe, 00000000.00000002.2257395722.0000000004AC0000.00000040.00001000.00020000.00000000.sdmp, MPGPH131.exe, MPGPH131.exe, 00000008.00000002.2555613641.0000000004900000.00000040.00001000.00020000.00000000.sdmp, MPGPH131.exe, 00000008.00000003.2345569703.0000000004A60000.00000004.00001000.00020000.00000000.sdmp, MPGPH131.exe, 00000008.00000002.2552258510.0000000000400000.00000040.00000001.01000000.00000005.sdmp, MPGPH131.exe, 00000009.00000003.2355371299.0000000004A10000.00000004.00001000.00020000.00000000.sdmp, MPGPH131.exe, 00000009.00000002.2552333219.0000000000400000.00000040.00000001.01000000.00000005.sdmp, MPGPH131.exe, 00000009.00000002.2555618433.00000000048B0000.00000040.00001000.00020000.00000000.sdmp, RageMP131.exe, 00000011.00000002.2351210254.0000000004AD0000.00000040.00001000.00020000.00000000.sdmp, RageMP131.exe, 00000011.00000003.1935064684.0000000004C30000.00000004.00001000.00020000.00000000.sdmp, RageMP131.exe, 00000011.00000002.2345301493.0000000000400000.00000040.00000001.01000000.00000007.sdmp, RageMP131.exe, 0000001A.00000002.2601441093.0000000000400000.00000040.00000001.01000000.00000007.sdmp, RageMP131.exe, 0000001A.00000003.2050121383.0000000004C40000.00000004.00001000.00020000.00000000.sdmp, RageMP131.exe, 0000001A.00000002.2603802110.0000000004AE0000.00000040.00001000.00020000.00000000.sdmpString found in binary or memory: http://www.winimage.com/zLibDll
                          Source: file.exe, 00000000.00000003.1698876622.0000000004C20000.00000004.00001000.00020000.00000000.sdmp, file.exe, 00000000.00000002.2254819923.0000000000400000.00000040.00000001.01000000.00000003.sdmp, file.exe, 00000000.00000002.2257395722.0000000004AC0000.00000040.00001000.00020000.00000000.sdmp, MPGPH131.exe, 00000008.00000002.2555613641.0000000004900000.00000040.00001000.00020000.00000000.sdmp, MPGPH131.exe, 00000008.00000003.2345569703.0000000004A60000.00000004.00001000.00020000.00000000.sdmp, MPGPH131.exe, 00000008.00000002.2552258510.0000000000400000.00000040.00000001.01000000.00000005.sdmp, MPGPH131.exe, 00000009.00000003.2355371299.0000000004A10000.00000004.00001000.00020000.00000000.sdmp, MPGPH131.exe, 00000009.00000002.2552333219.0000000000400000.00000040.00000001.01000000.00000005.sdmp, MPGPH131.exe, 00000009.00000002.2555618433.00000000048B0000.00000040.00001000.00020000.00000000.sdmp, RageMP131.exe, 00000011.00000002.2351210254.0000000004AD0000.00000040.00001000.00020000.00000000.sdmp, RageMP131.exe, 00000011.00000003.1935064684.0000000004C30000.00000004.00001000.00020000.00000000.sdmp, RageMP131.exe, 00000011.00000002.2345301493.0000000000400000.00000040.00000001.01000000.00000007.sdmp, RageMP131.exe, 0000001A.00000002.2601441093.0000000000400000.00000040.00000001.01000000.00000007.sdmp, RageMP131.exe, 0000001A.00000003.2050121383.0000000004C40000.00000004.00001000.00020000.00000000.sdmp, RageMP131.exe, 0000001A.00000002.2603802110.0000000004AE0000.00000040.00001000.00020000.00000000.sdmpString found in binary or memory: http://www.winimage.com/zLibDllDpRTpR
                          Source: file.exe, 00000000.00000003.2069670213.0000000007A97000.00000004.00000020.00020000.00000000.sdmp, file.exe, 00000000.00000003.2072850690.0000000007AC2000.00000004.00000020.00020000.00000000.sdmp, file.exe, 00000000.00000003.2070675750.0000000007AB6000.00000004.00000020.00020000.00000000.sdmp, RageMP131.exe, 00000011.00000003.2204823122.0000000007AA1000.00000004.00000020.00020000.00000000.sdmp, RageMP131.exe, 00000011.00000003.2205392926.0000000007AD0000.00000004.00000020.00020000.00000000.sdmp, RageMP131.exe, 00000011.00000003.2207595025.0000000007ACE000.00000004.00000020.00020000.00000000.sdmp, RageMP131.exe, 0000001A.00000003.2463165278.0000000007ABB000.00000004.00000020.00020000.00000000.sdmp, RageMP131.exe, 0000001A.00000003.2462740121.0000000007A99000.00000004.00000020.00020000.00000000.sdmp, RageMP131.exe, 0000001A.00000003.2466057502.0000000007AD5000.00000004.00000020.00020000.00000000.sdmp, Tx9lIpMUG2zOWeb Data.26.dr, weyqQCNm9HN2Web Data.0.dr, tcNWocR92MUuWeb Data.17.dr, ToLgTrDbYUcjWeb Data.26.dr, FxAu1a1JDtB8Web Data.0.dr, eBt1v4cLiOqEWeb Data.0.dr, fotzzxFskzb6Web Data.17.dr, 8Mse1jO6nK1IWeb Data.26.dr, 6_PbUyeA3kVjWeb Data.17.drString found in binary or memory: https://ac.ecosia.org/autocomplete?q=
                          Source: file.exe, 00000000.00000003.2069670213.0000000007A97000.00000004.00000020.00020000.00000000.sdmp, file.exe, 00000000.00000003.2072850690.0000000007AC2000.00000004.00000020.00020000.00000000.sdmp, file.exe, 00000000.00000003.2070675750.0000000007AB6000.00000004.00000020.00020000.00000000.sdmp, RageMP131.exe, 00000011.00000003.2204823122.0000000007AA1000.00000004.00000020.00020000.00000000.sdmp, RageMP131.exe, 00000011.00000003.2205392926.0000000007AD0000.00000004.00000020.00020000.00000000.sdmp, RageMP131.exe, 00000011.00000003.2207595025.0000000007ACE000.00000004.00000020.00020000.00000000.sdmp, RageMP131.exe, 0000001A.00000003.2463165278.0000000007ABB000.00000004.00000020.00020000.00000000.sdmp, RageMP131.exe, 0000001A.00000003.2462740121.0000000007A99000.00000004.00000020.00020000.00000000.sdmp, RageMP131.exe, 0000001A.00000003.2466057502.0000000007AD5000.00000004.00000020.00020000.00000000.sdmp, Tx9lIpMUG2zOWeb Data.26.dr, weyqQCNm9HN2Web Data.0.dr, tcNWocR92MUuWeb Data.17.dr, ToLgTrDbYUcjWeb Data.26.dr, FxAu1a1JDtB8Web Data.0.dr, eBt1v4cLiOqEWeb Data.0.dr, fotzzxFskzb6Web Data.17.dr, 8Mse1jO6nK1IWeb Data.26.dr, 6_PbUyeA3kVjWeb Data.17.drString found in binary or memory: https://cdn.ecosia.org/assets/images/ico/favicon.icohttps://www.ecosia.org/search?q=
                          Source: file.exe, 00000000.00000003.2069670213.0000000007A97000.00000004.00000020.00020000.00000000.sdmp, file.exe, 00000000.00000003.2072850690.0000000007AC2000.00000004.00000020.00020000.00000000.sdmp, file.exe, 00000000.00000003.2070675750.0000000007AB6000.00000004.00000020.00020000.00000000.sdmp, RageMP131.exe, 00000011.00000003.2204823122.0000000007AA1000.00000004.00000020.00020000.00000000.sdmp, RageMP131.exe, 00000011.00000003.2205392926.0000000007AD0000.00000004.00000020.00020000.00000000.sdmp, RageMP131.exe, 00000011.00000003.2207595025.0000000007ACE000.00000004.00000020.00020000.00000000.sdmp, RageMP131.exe, 0000001A.00000003.2463165278.0000000007ABB000.00000004.00000020.00020000.00000000.sdmp, RageMP131.exe, 0000001A.00000003.2462740121.0000000007A99000.00000004.00000020.00020000.00000000.sdmp, RageMP131.exe, 0000001A.00000003.2466057502.0000000007AD5000.00000004.00000020.00020000.00000000.sdmp, Tx9lIpMUG2zOWeb Data.26.dr, weyqQCNm9HN2Web Data.0.dr, tcNWocR92MUuWeb Data.17.dr, ToLgTrDbYUcjWeb Data.26.dr, FxAu1a1JDtB8Web Data.0.dr, eBt1v4cLiOqEWeb Data.0.dr, fotzzxFskzb6Web Data.17.dr, 8Mse1jO6nK1IWeb Data.26.dr, 6_PbUyeA3kVjWeb Data.17.drString found in binary or memory: https://ch.search.yahoo.com/favicon.icohttps://ch.search.yahoo.com/search
                          Source: file.exe, 00000000.00000003.2069670213.0000000007A97000.00000004.00000020.00020000.00000000.sdmp, file.exe, 00000000.00000003.2072850690.0000000007AC2000.00000004.00000020.00020000.00000000.sdmp, file.exe, 00000000.00000003.2070675750.0000000007AB6000.00000004.00000020.00020000.00000000.sdmp, RageMP131.exe, 00000011.00000003.2204823122.0000000007AA1000.00000004.00000020.00020000.00000000.sdmp, RageMP131.exe, 00000011.00000003.2205392926.0000000007AD0000.00000004.00000020.00020000.00000000.sdmp, RageMP131.exe, 00000011.00000003.2207595025.0000000007ACE000.00000004.00000020.00020000.00000000.sdmp, RageMP131.exe, 0000001A.00000003.2463165278.0000000007ABB000.00000004.00000020.00020000.00000000.sdmp, RageMP131.exe, 0000001A.00000003.2462740121.0000000007A99000.00000004.00000020.00020000.00000000.sdmp, RageMP131.exe, 0000001A.00000003.2466057502.0000000007AD5000.00000004.00000020.00020000.00000000.sdmp, Tx9lIpMUG2zOWeb Data.26.dr, weyqQCNm9HN2Web Data.0.dr, tcNWocR92MUuWeb Data.17.dr, ToLgTrDbYUcjWeb Data.26.dr, FxAu1a1JDtB8Web Data.0.dr, eBt1v4cLiOqEWeb Data.0.dr, fotzzxFskzb6Web Data.17.dr, 8Mse1jO6nK1IWeb Data.26.dr, 6_PbUyeA3kVjWeb Data.17.drString found in binary or memory: https://ch.search.yahoo.com/sugg/chrome?output=fxjson&appid=crmas&command=
                          Source: MPGPH131.exe, 00000008.00000002.2554428927.0000000003128000.00000004.00000020.00020000.00000000.sdmp, MPGPH131.exe, 00000009.00000002.2554347578.0000000002EAC000.00000004.00000020.00020000.00000000.sdmp, RageMP131.exe, 00000011.00000002.2349974931.0000000003002000.00000004.00000020.00020000.00000000.sdmp, RageMP131.exe, 00000011.00000003.2307237063.0000000003002000.00000004.00000020.00020000.00000000.sdmp, RageMP131.exe, 00000011.00000003.2305959394.0000000003002000.00000004.00000020.00020000.00000000.sdmp, RageMP131.exe, 0000001A.00000003.2600250501.0000000002FC6000.00000004.00000020.00020000.00000000.sdmp, RageMP131.exe, 0000001A.00000002.2603079344.0000000002FC6000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://db-ip.com/
                          Source: MPGPH131.exe, 00000008.00000002.2554428927.0000000003128000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://db-ip.com/?
                          Source: file.exe, 00000000.00000003.2023096366.00000000030B6000.00000004.00000020.00020000.00000000.sdmp, MPGPH131.exe, 00000008.00000002.2554428927.00000000030E9000.00000004.00000020.00020000.00000000.sdmp, MPGPH131.exe, 00000008.00000002.2554428927.0000000003128000.00000004.00000020.00020000.00000000.sdmp, MPGPH131.exe, 00000009.00000002.2554347578.0000000002E58000.00000004.00000020.00020000.00000000.sdmp, MPGPH131.exe, 00000009.00000002.2554347578.0000000002EAC000.00000004.00000020.00020000.00000000.sdmp, RageMP131.exe, 00000011.00000002.2349974931.0000000003002000.00000004.00000020.00020000.00000000.sdmp, RageMP131.exe, 00000011.00000003.2307237063.0000000003002000.00000004.00000020.00020000.00000000.sdmp, RageMP131.exe, 00000011.00000003.2305959394.0000000003002000.00000004.00000020.00020000.00000000.sdmp, RageMP131.exe, 0000001A.00000002.2603079344.0000000002FA8000.00000004.00000020.00020000.00000000.sdmp, RageMP131.exe, 0000001A.00000003.2600250501.0000000002FA7000.00000004.00000020.00020000.00000000.sdmp, RageMP131.exe, 0000001A.00000003.2600250501.0000000002FC6000.00000004.00000020.00020000.00000000.sdmp, RageMP131.exe, 0000001A.00000002.2603079344.0000000002FC6000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://db-ip.com/demo/home.php?s=81.181.57.52
                          Source: MPGPH131.exe, 00000009.00000002.2554347578.0000000002EAC000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://db-ip.com/demo/home.php?s=81.181.57.525w
                          Source: RageMP131.exe, 00000011.00000002.2348884384.0000000002FDC000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://db-ip.com/demo/home.php?s=81.181.57.52gQ
                          Source: MPGPH131.exe, 00000008.00000002.2554428927.0000000003128000.00000004.00000020.00020000.00000000.sdmp, RageMP131.exe, 0000001A.00000003.2600250501.0000000002FC6000.00000004.00000020.00020000.00000000.sdmp, RageMP131.exe, 0000001A.00000002.2603079344.0000000002FC6000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://db-ip.com/demo/home.php?s=81.181.57.52j
                          Source: MPGPH131.exe, 00000009.00000002.2554347578.0000000002EAC000.00000004.00000020.00020000.00000000.sdmp, RageMP131.exe, 00000011.00000002.2349974931.0000000003002000.00000004.00000020.00020000.00000000.sdmp, RageMP131.exe, 00000011.00000003.2307237063.0000000003002000.00000004.00000020.00020000.00000000.sdmp, RageMP131.exe, 00000011.00000003.2305959394.0000000003002000.00000004.00000020.00020000.00000000.sdmp, RageMP131.exe, 0000001A.00000003.2600250501.0000000002FC6000.00000004.00000020.00020000.00000000.sdmp, RageMP131.exe, 0000001A.00000002.2603079344.0000000002FC6000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://db-ip.com:443/demo/home.php?s=81.181.57.52
                          Source: MPGPH131.exe, 00000008.00000002.2554428927.00000000030E9000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://db-ip.com:443/demo/home.php?s=81.181.57.52D)
                          Source: file.exe, 00000000.00000003.2072010146.00000000030B6000.00000004.00000020.00020000.00000000.sdmp, file.exe, 00000000.00000002.2256177341.00000000030B6000.00000004.00000020.00020000.00000000.sdmp, file.exe, 00000000.00000003.2068786897.00000000030B6000.00000004.00000020.00020000.00000000.sdmp, file.exe, 00000000.00000003.2023096366.00000000030B6000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://db-ip.com:443/demo/home.php?s=81.181.57.52r
                          Source: file.exe, 00000000.00000003.2069670213.0000000007A97000.00000004.00000020.00020000.00000000.sdmp, file.exe, 00000000.00000003.2072850690.0000000007AC2000.00000004.00000020.00020000.00000000.sdmp, file.exe, 00000000.00000003.2070675750.0000000007AB6000.00000004.00000020.00020000.00000000.sdmp, RageMP131.exe, 00000011.00000003.2204823122.0000000007AA1000.00000004.00000020.00020000.00000000.sdmp, RageMP131.exe, 00000011.00000003.2205392926.0000000007AD0000.00000004.00000020.00020000.00000000.sdmp, RageMP131.exe, 00000011.00000003.2207595025.0000000007ACE000.00000004.00000020.00020000.00000000.sdmp, RageMP131.exe, 0000001A.00000003.2463165278.0000000007ABB000.00000004.00000020.00020000.00000000.sdmp, RageMP131.exe, 0000001A.00000003.2462740121.0000000007A99000.00000004.00000020.00020000.00000000.sdmp, RageMP131.exe, 0000001A.00000003.2466057502.0000000007AD5000.00000004.00000020.00020000.00000000.sdmp, Tx9lIpMUG2zOWeb Data.26.dr, weyqQCNm9HN2Web Data.0.dr, tcNWocR92MUuWeb Data.17.dr, ToLgTrDbYUcjWeb Data.26.dr, FxAu1a1JDtB8Web Data.0.dr, eBt1v4cLiOqEWeb Data.0.dr, fotzzxFskzb6Web Data.17.dr, 8Mse1jO6nK1IWeb Data.26.dr, 6_PbUyeA3kVjWeb Data.17.drString found in binary or memory: https://duckduckgo.com/ac/?q=
                          Source: file.exe, 00000000.00000003.2069670213.0000000007A97000.00000004.00000020.00020000.00000000.sdmp, file.exe, 00000000.00000003.2072850690.0000000007AC2000.00000004.00000020.00020000.00000000.sdmp, file.exe, 00000000.00000003.2070675750.0000000007AB6000.00000004.00000020.00020000.00000000.sdmp, RageMP131.exe, 00000011.00000003.2204823122.0000000007AA1000.00000004.00000020.00020000.00000000.sdmp, RageMP131.exe, 00000011.00000003.2205392926.0000000007AD0000.00000004.00000020.00020000.00000000.sdmp, RageMP131.exe, 00000011.00000003.2207595025.0000000007ACE000.00000004.00000020.00020000.00000000.sdmp, RageMP131.exe, 0000001A.00000003.2463165278.0000000007ABB000.00000004.00000020.00020000.00000000.sdmp, RageMP131.exe, 0000001A.00000003.2462740121.0000000007A99000.00000004.00000020.00020000.00000000.sdmp, RageMP131.exe, 0000001A.00000003.2466057502.0000000007AD5000.00000004.00000020.00020000.00000000.sdmp, Tx9lIpMUG2zOWeb Data.26.dr, weyqQCNm9HN2Web Data.0.dr, tcNWocR92MUuWeb Data.17.dr, ToLgTrDbYUcjWeb Data.26.dr, FxAu1a1JDtB8Web Data.0.dr, eBt1v4cLiOqEWeb Data.0.dr, fotzzxFskzb6Web Data.17.dr, 8Mse1jO6nK1IWeb Data.26.dr, 6_PbUyeA3kVjWeb Data.17.drString found in binary or memory: https://duckduckgo.com/chrome_newtab
                          Source: file.exe, 00000000.00000003.2069670213.0000000007A97000.00000004.00000020.00020000.00000000.sdmp, file.exe, 00000000.00000003.2072850690.0000000007AC2000.00000004.00000020.00020000.00000000.sdmp, file.exe, 00000000.00000003.2070675750.0000000007AB6000.00000004.00000020.00020000.00000000.sdmp, RageMP131.exe, 00000011.00000003.2204823122.0000000007AA1000.00000004.00000020.00020000.00000000.sdmp, RageMP131.exe, 00000011.00000003.2205392926.0000000007AD0000.00000004.00000020.00020000.00000000.sdmp, RageMP131.exe, 00000011.00000003.2207595025.0000000007ACE000.00000004.00000020.00020000.00000000.sdmp, RageMP131.exe, 0000001A.00000003.2463165278.0000000007ABB000.00000004.00000020.00020000.00000000.sdmp, RageMP131.exe, 0000001A.00000003.2462740121.0000000007A99000.00000004.00000020.00020000.00000000.sdmp, RageMP131.exe, 0000001A.00000003.2466057502.0000000007AD5000.00000004.00000020.00020000.00000000.sdmp, Tx9lIpMUG2zOWeb Data.26.dr, weyqQCNm9HN2Web Data.0.dr, tcNWocR92MUuWeb Data.17.dr, ToLgTrDbYUcjWeb Data.26.dr, FxAu1a1JDtB8Web Data.0.dr, eBt1v4cLiOqEWeb Data.0.dr, fotzzxFskzb6Web Data.17.dr, 8Mse1jO6nK1IWeb Data.26.dr, 6_PbUyeA3kVjWeb Data.17.drString found in binary or memory: https://duckduckgo.com/favicon.icohttps://duckduckgo.com/?q=
                          Source: file.exe, file.exe, 00000000.00000002.2256177341.000000000305D000.00000004.00000020.00020000.00000000.sdmp, file.exe, 00000000.00000003.2072010146.00000000030B6000.00000004.00000020.00020000.00000000.sdmp, file.exe, 00000000.00000002.2256177341.00000000030B6000.00000004.00000020.00020000.00000000.sdmp, file.exe, 00000000.00000003.2068786897.00000000030B6000.00000004.00000020.00020000.00000000.sdmp, file.exe, 00000000.00000002.2256177341.00000000030A7000.00000004.00000020.00020000.00000000.sdmp, file.exe, 00000000.00000003.2072010146.00000000030B1000.00000004.00000020.00020000.00000000.sdmp, file.exe, 00000000.00000003.2023096366.00000000030B6000.00000004.00000020.00020000.00000000.sdmp, file.exe, 00000000.00000002.2256177341.000000000307B000.00000004.00000020.00020000.00000000.sdmp, file.exe, 00000000.00000003.2068786897.00000000030B2000.00000004.00000020.00020000.00000000.sdmp, file.exe, 00000000.00000003.2023096366.00000000030B1000.00000004.00000020.00020000.00000000.sdmp, MPGPH131.exe, MPGPH131.exe, 00000008.00000002.2554428927.00000000030E9000.00000004.00000020.00020000.00000000.sdmp, MPGPH131.exe, 00000008.00000002.2554428927.00000000030CF000.00000004.00000020.00020000.00000000.sdmp, MPGPH131.exe, 00000008.00000002.2554428927.00000000030A0000.00000004.00000020.00020000.00000000.sdmp, MPGPH131.exe, 00000008.00000002.2554428927.0000000003128000.00000004.00000020.00020000.00000000.sdmp, MPGPH131.exe, 00000009.00000002.2554347578.0000000002E5E000.00000004.00000020.00020000.00000000.sdmp, MPGPH131.exe, 00000009.00000002.2554347578.0000000002E6A000.00000004.00000020.00020000.00000000.sdmp, MPGPH131.exe, 00000009.00000002.2554347578.0000000002E30000.00000004.00000020.00020000.00000000.sdmp, MPGPH131.exe, 00000009.00000002.2554347578.0000000002EAC000.00000004.00000020.00020000.00000000.sdmp, RageMP131.exe, 00000011.00000002.2348884384.0000000002FCC000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://ipinfo.io/
                          Source: file.exe, 00000000.00000002.2256177341.00000000030A7000.00000004.00000020.00020000.00000000.sdmp, file.exe, 00000000.00000003.2072010146.00000000030B1000.00000004.00000020.00020000.00000000.sdmp, file.exe, 00000000.00000003.2068786897.00000000030B2000.00000004.00000020.00020000.00000000.sdmp, file.exe, 00000000.00000003.2023096366.00000000030B1000.00000004.00000020.00020000.00000000.sdmp, MPGPH131.exe, 00000008.00000002.2554428927.00000000030E9000.00000004.00000020.00020000.00000000.sdmp, MPGPH131.exe, 00000009.00000002.2554347578.0000000002E6A000.00000004.00000020.00020000.00000000.sdmp, RageMP131.exe, 00000011.00000002.2349974931.0000000002FFE000.00000004.00000020.00020000.00000000.sdmp, RageMP131.exe, 00000011.00000003.2307237063.0000000002FFD000.00000004.00000020.00020000.00000000.sdmp, RageMP131.exe, 00000011.00000003.2305959394.0000000002FFD000.00000004.00000020.00020000.00000000.sdmp, RageMP131.exe, 0000001A.00000002.2603079344.0000000002FBB000.00000004.00000020.00020000.00000000.sdmp, RageMP131.exe, 0000001A.00000003.2600250501.0000000002FBB000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://ipinfo.io/Mozilla/5.0
                          Source: file.exe, 00000000.00000003.1698876622.0000000004C20000.00000004.00001000.00020000.00000000.sdmp, file.exe, 00000000.00000002.2254819923.0000000000400000.00000040.00000001.01000000.00000003.sdmp, file.exe, 00000000.00000002.2257395722.0000000004AC0000.00000040.00001000.00020000.00000000.sdmp, MPGPH131.exe, 00000008.00000002.2555613641.0000000004900000.00000040.00001000.00020000.00000000.sdmp, MPGPH131.exe, 00000008.00000003.2345569703.0000000004A60000.00000004.00001000.00020000.00000000.sdmp, MPGPH131.exe, 00000008.00000002.2552258510.0000000000400000.00000040.00000001.01000000.00000005.sdmp, MPGPH131.exe, 00000009.00000003.2355371299.0000000004A10000.00000004.00001000.00020000.00000000.sdmp, MPGPH131.exe, 00000009.00000002.2552333219.0000000000400000.00000040.00000001.01000000.00000005.sdmp, MPGPH131.exe, 00000009.00000002.2555618433.00000000048B0000.00000040.00001000.00020000.00000000.sdmp, RageMP131.exe, 00000011.00000002.2351210254.0000000004AD0000.00000040.00001000.00020000.00000000.sdmp, RageMP131.exe, 00000011.00000003.1935064684.0000000004C30000.00000004.00001000.00020000.00000000.sdmp, RageMP131.exe, 00000011.00000002.2345301493.0000000000400000.00000040.00000001.01000000.00000007.sdmp, RageMP131.exe, 0000001A.00000002.2601441093.0000000000400000.00000040.00000001.01000000.00000007.sdmp, RageMP131.exe, 0000001A.00000003.2050121383.0000000004C40000.00000004.00001000.00020000.00000000.sdmp, RageMP131.exe, 0000001A.00000002.2603802110.0000000004AE0000.00000040.00001000.00020000.00000000.sdmpString found in binary or memory: https://ipinfo.io/https://www.maxmind.com/en/locate-my-ip-addressWs2_32.dll
                          Source: MPGPH131.exe, 00000009.00000002.2554347578.0000000002E30000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://ipinfo.io/n
                          Source: file.exe, 00000000.00000002.2256177341.000000000307B000.00000004.00000020.00020000.00000000.sdmp, MPGPH131.exe, 00000008.00000002.2554428927.00000000030A0000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://ipinfo.io/t
                          Source: file.exe, 00000000.00000002.2256177341.00000000030A7000.00000004.00000020.00020000.00000000.sdmp, file.exe, 00000000.00000002.2256177341.000000000307B000.00000004.00000020.00020000.00000000.sdmp, MPGPH131.exe, 00000008.00000002.2554428927.00000000030AA000.00000004.00000020.00020000.00000000.sdmp, MPGPH131.exe, 00000009.00000002.2554347578.0000000002E40000.00000004.00000020.00020000.00000000.sdmp, RageMP131.exe, 00000011.00000002.2348884384.0000000002FCC000.00000004.00000020.00020000.00000000.sdmp, RageMP131.exe, 00000011.00000003.2306068480.0000000002FF6000.00000004.00000020.00020000.00000000.sdmp, RageMP131.exe, 00000011.00000003.2307548661.0000000002FF6000.00000004.00000020.00020000.00000000.sdmp, RageMP131.exe, 00000011.00000002.2349881372.0000000002FF6000.00000004.00000020.00020000.00000000.sdmp, RageMP131.exe, 00000011.00000003.2312025857.0000000002FF6000.00000004.00000020.00020000.00000000.sdmp, RageMP131.exe, 00000011.00000003.2308251432.0000000002FF6000.00000004.00000020.00020000.00000000.sdmp, RageMP131.exe, 0000001A.00000002.2603079344.0000000002FBB000.00000004.00000020.00020000.00000000.sdmp, RageMP131.exe, 0000001A.00000002.2603079344.0000000002F95000.00000004.00000020.00020000.00000000.sdmp, RageMP131.exe, 0000001A.00000003.2600250501.0000000002FBB000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://ipinfo.io/widget/demo/81.181.57.52
                          Source: MPGPH131.exe, 00000009.00000002.2554347578.0000000002E6A000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://ipinfo.io/widget/demo/81.181.57.52$v
                          Source: MPGPH131.exe, 00000008.00000002.2554428927.00000000030AA000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://ipinfo.io/widget/demo/81.181.57.52.tmpW
                          Source: MPGPH131.exe, 00000008.00000002.2554428927.00000000030E9000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://ipinfo.io/widget/demo/81.181.57.52H)
                          Source: RageMP131.exe, 0000001A.00000002.2603079344.0000000002FA2000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://ipinfo.io/~
                          Source: file.exe, 00000000.00000002.2256177341.00000000030A7000.00000004.00000020.00020000.00000000.sdmp, MPGPH131.exe, 00000008.00000002.2554428927.00000000030E9000.00000004.00000020.00020000.00000000.sdmp, MPGPH131.exe, 00000009.00000002.2554347578.0000000002E6A000.00000004.00000020.00020000.00000000.sdmp, RageMP131.exe, 00000011.00000003.2306068480.0000000002FF6000.00000004.00000020.00020000.00000000.sdmp, RageMP131.exe, 00000011.00000003.2307548661.0000000002FF6000.00000004.00000020.00020000.00000000.sdmp, RageMP131.exe, 00000011.00000002.2349881372.0000000002FF6000.00000004.00000020.00020000.00000000.sdmp, RageMP131.exe, 00000011.00000003.2312025857.0000000002FF6000.00000004.00000020.00020000.00000000.sdmp, RageMP131.exe, 00000011.00000003.2308251432.0000000002FF6000.00000004.00000020.00020000.00000000.sdmp, RageMP131.exe, 0000001A.00000002.2603079344.0000000002FBB000.00000004.00000020.00020000.00000000.sdmp, RageMP131.exe, 0000001A.00000003.2600250501.0000000002FBB000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://ipinfo.io:443/widget/demo/81.181.57.52
                          Source: D87fZN3R3jFeplaces.sqlite.0.drString found in binary or memory: https://support.mozilla.org
                          Source: D87fZN3R3jFeplaces.sqlite.0.drString found in binary or memory: https://support.mozilla.org/kb/customize-firefox-controls-buttons-and-toolbars?utm_source=firefox-br
                          Source: D87fZN3R3jFeplaces.sqlite.0.drString found in binary or memory: https://support.mozilla.org/products/firefoxgro.allizom.troppus.zvXrErQ5GYDF
                          Source: RageMP131.exe, 00000011.00000003.2207015077.0000000007ABD000.00000004.00000020.00020000.00000000.sdmp, RageMP131.exe, 0000001A.00000003.2465348973.0000000007AB3000.00000004.00000020.00020000.00000000.sdmp, LZlzsFoefEVpHistory.17.dr, d4QTaPGdbj7gHistory.17.dr, MBSHfyCuKHxNHistory.26.dr, IcPAi7xok6iaHistory.0.dr, QkoBCD2tTFlpHistory.0.dr, GUahzsMvIC8wHistory.26.drString found in binary or memory: https://support.office.com/article/7D48285B-20E8-4B9B-91AD-216E34163BAD?wt.mc_id=EnterPK2016
                          Source: LZlzsFoefEVpHistory.17.dr, d4QTaPGdbj7gHistory.17.dr, MBSHfyCuKHxNHistory.26.dr, IcPAi7xok6iaHistory.0.dr, QkoBCD2tTFlpHistory.0.dr, GUahzsMvIC8wHistory.26.drString found in binary or memory: https://support.office.com/article/7D48285B-20E8-4B9B-91AD-216E34163BAD?wt.mc_id=EnterPK2016Examples
                          Source: RageMP131.exe, 00000011.00000003.2207015077.0000000007ABD000.00000004.00000020.00020000.00000000.sdmp, RageMP131.exe, 0000001A.00000003.2465348973.0000000007AB3000.00000004.00000020.00020000.00000000.sdmp, LZlzsFoefEVpHistory.17.dr, d4QTaPGdbj7gHistory.17.dr, MBSHfyCuKHxNHistory.26.dr, IcPAi7xok6iaHistory.0.dr, QkoBCD2tTFlpHistory.0.dr, GUahzsMvIC8wHistory.26.drString found in binary or memory: https://support.office.com/article/94ba2e0b-638e-4a92-8857-2cb5ac1d8e17
                          Source: LZlzsFoefEVpHistory.17.dr, d4QTaPGdbj7gHistory.17.dr, MBSHfyCuKHxNHistory.26.dr, IcPAi7xok6iaHistory.0.dr, QkoBCD2tTFlpHistory.0.dr, GUahzsMvIC8wHistory.26.drString found in binary or memory: https://support.office.com/article/94ba2e0b-638e-4a92-8857-2cb5ac1d8e17Install
                          Source: MPGPH131.exe, 00000009.00000002.2554347578.0000000002E6A000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://t.G
                          Source: RageMP131.exe, 0000001A.00000002.2604404588.0000000007A40000.00000004.00000020.00020000.00000000.sdmp, dSyaNbAby9QXs4RBu3VN33H.zip.17.dr, e_uwnYJDOrnylP4tGD1vKSo.zip.0.dr, OfCx6VeglYVpWTwI9NddWAo.zip.26.drString found in binary or memory: https://t.me/RiseProSUPPORT
                          Source: RageMP131.exe, 00000011.00000003.2307637364.0000000007A99000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://t.me/RiseProSUPPORT$
                          Source: RageMP131.exe, 00000011.00000002.2352946266.0000000007A40000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://t.me/RiseProSUPPORTR
                          Source: MPGPH131.exe, 00000008.00000002.2554428927.000000000306E000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://t.me/RiseProSUPPORTS)
                          Source: RageMP131.exe, 0000001A.00000002.2603079344.0000000002FC6000.00000004.00000020.00020000.00000000.sdmp, RageMP131.exe, 0000001A.00000003.2568774506.0000000007AFA000.00000004.00000020.00020000.00000000.sdmp, RageMP131.exe, 0000001A.00000002.2604404588.0000000007A40000.00000004.00000020.00020000.00000000.sdmp, passwords.txt.0.dr, passwords.txt.26.dr, passwords.txt.17.drString found in binary or memory: https://t.me/risepro_bot
                          Source: file.exe, 00000000.00000003.2072010146.00000000030B6000.00000004.00000020.00020000.00000000.sdmp, file.exe, 00000000.00000002.2256177341.00000000030B6000.00000004.00000020.00020000.00000000.sdmp, file.exe, 00000000.00000003.2068786897.00000000030B6000.00000004.00000020.00020000.00000000.sdmp, file.exe, 00000000.00000003.2023096366.00000000030B6000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://t.me/risepro_bot.
                          Source: MPGPH131.exe, 00000009.00000002.2554347578.0000000002EAC000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://t.me/risepro_bot1.181.57.52
                          Source: file.exe, 00000000.00000003.2072010146.00000000030B6000.00000004.00000020.00020000.00000000.sdmp, file.exe, 00000000.00000002.2256177341.00000000030B6000.00000004.00000020.00020000.00000000.sdmp, file.exe, 00000000.00000003.2068786897.00000000030B6000.00000004.00000020.00020000.00000000.sdmp, file.exe, 00000000.00000003.2023096366.00000000030B6000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://t.me/risepro_botW
                          Source: RageMP131.exe, 0000001A.00000003.2600250501.0000000002FC6000.00000004.00000020.00020000.00000000.sdmp, RageMP131.exe, 0000001A.00000002.2603079344.0000000002FC6000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://t.me/risepro_botisepro_bot
                          Source: file.exe, 00000000.00000003.2072010146.00000000030B6000.00000004.00000020.00020000.00000000.sdmp, file.exe, 00000000.00000002.2256177341.00000000030B6000.00000004.00000020.00020000.00000000.sdmp, file.exe, 00000000.00000003.2068786897.00000000030B6000.00000004.00000020.00020000.00000000.sdmp, file.exe, 00000000.00000003.2023096366.00000000030B6000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://t.me/risepro_botlater
                          Source: MPGPH131.exe, 00000008.00000002.2554428927.0000000003128000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://t.me/risepro_botrisepro
                          Source: file.exe, 00000000.00000003.2069670213.0000000007A97000.00000004.00000020.00020000.00000000.sdmp, file.exe, 00000000.00000003.2072850690.0000000007AC2000.00000004.00000020.00020000.00000000.sdmp, file.exe, 00000000.00000003.2070675750.0000000007AB6000.00000004.00000020.00020000.00000000.sdmp, RageMP131.exe, 00000011.00000003.2204823122.0000000007AA1000.00000004.00000020.00020000.00000000.sdmp, RageMP131.exe, 00000011.00000003.2205392926.0000000007AD0000.00000004.00000020.00020000.00000000.sdmp, RageMP131.exe, 00000011.00000003.2207595025.0000000007ACE000.00000004.00000020.00020000.00000000.sdmp, RageMP131.exe, 0000001A.00000003.2463165278.0000000007ABB000.00000004.00000020.00020000.00000000.sdmp, RageMP131.exe, 0000001A.00000003.2462740121.0000000007A99000.00000004.00000020.00020000.00000000.sdmp, RageMP131.exe, 0000001A.00000003.2466057502.0000000007AD5000.00000004.00000020.00020000.00000000.sdmp, Tx9lIpMUG2zOWeb Data.26.dr, weyqQCNm9HN2Web Data.0.dr, tcNWocR92MUuWeb Data.17.dr, ToLgTrDbYUcjWeb Data.26.dr, FxAu1a1JDtB8Web Data.0.dr, eBt1v4cLiOqEWeb Data.0.dr, fotzzxFskzb6Web Data.17.dr, 8Mse1jO6nK1IWeb Data.26.dr, 6_PbUyeA3kVjWeb Data.17.drString found in binary or memory: https://www.ecosia.org/newtab/
                          Source: file.exe, 00000000.00000003.2069670213.0000000007A97000.00000004.00000020.00020000.00000000.sdmp, file.exe, 00000000.00000003.2072850690.0000000007AC2000.00000004.00000020.00020000.00000000.sdmp, file.exe, 00000000.00000003.2070675750.0000000007AB6000.00000004.00000020.00020000.00000000.sdmp, RageMP131.exe, 00000011.00000003.2204823122.0000000007AA1000.00000004.00000020.00020000.00000000.sdmp, RageMP131.exe, 00000011.00000003.2205392926.0000000007AD0000.00000004.00000020.00020000.00000000.sdmp, RageMP131.exe, 00000011.00000003.2207595025.0000000007ACE000.00000004.00000020.00020000.00000000.sdmp, RageMP131.exe, 0000001A.00000003.2463165278.0000000007ABB000.00000004.00000020.00020000.00000000.sdmp, RageMP131.exe, 0000001A.00000003.2462740121.0000000007A99000.00000004.00000020.00020000.00000000.sdmp, RageMP131.exe, 0000001A.00000003.2466057502.0000000007AD5000.00000004.00000020.00020000.00000000.sdmp, Tx9lIpMUG2zOWeb Data.26.dr, weyqQCNm9HN2Web Data.0.dr, tcNWocR92MUuWeb Data.17.dr, ToLgTrDbYUcjWeb Data.26.dr, FxAu1a1JDtB8Web Data.0.dr, eBt1v4cLiOqEWeb Data.0.dr, fotzzxFskzb6Web Data.17.dr, 8Mse1jO6nK1IWeb Data.26.dr, 6_PbUyeA3kVjWeb Data.17.drString found in binary or memory: https://www.google.com/images/branding/product/ico/googleg_lodp.ico
                          Source: file.exe, MPGPH131.exeString found in binary or memory: https://www.maxmind.com/en/locate-my-ip-address
                          Source: D87fZN3R3jFeplaces.sqlite.0.drString found in binary or memory: https://www.mozilla.org
                          Source: D87fZN3R3jFeplaces.sqlite.0.drString found in binary or memory: https://www.mozilla.org/about/gro.allizom.www.VsJpOAWrHqB2
                          Source: D87fZN3R3jFeplaces.sqlite.0.drString found in binary or memory: https://www.mozilla.org/contribute/gro.allizom.www.n0g9CLHwD9nR
                          Source: file.exe, 00000000.00000003.2072010146.00000000030B6000.00000004.00000020.00020000.00000000.sdmp, file.exe, 00000000.00000002.2256177341.00000000030B6000.00000004.00000020.00020000.00000000.sdmp, file.exe, 00000000.00000003.2068786897.00000000030B6000.00000004.00000020.00020000.00000000.sdmp, file.exe, 00000000.00000002.2258233237.0000000007A40000.00000004.00000020.00020000.00000000.sdmp, RageMP131.exe, 00000011.00000003.2206916968.0000000007A88000.00000004.00000020.00020000.00000000.sdmp, RageMP131.exe, 00000011.00000003.2203998016.0000000007A88000.00000004.00000020.00020000.00000000.sdmp, RageMP131.exe, 00000011.00000003.2207361950.0000000007A88000.00000004.00000020.00020000.00000000.sdmp, RageMP131.exe, 00000011.00000003.2209672095.0000000007A88000.00000004.00000020.00020000.00000000.sdmp, RageMP131.exe, 00000011.00000003.2205935807.0000000007A88000.00000004.00000020.00020000.00000000.sdmp, RageMP131.exe, 00000011.00000003.2204462762.0000000007A88000.00000004.00000020.00020000.00000000.sdmp, RageMP131.exe, 00000011.00000003.2207840188.0000000007A88000.00000004.00000020.00020000.00000000.sdmp, RageMP131.exe, 00000011.00000002.2353080317.0000000007A88000.00000004.00000020.00020000.00000000.sdmp, RageMP131.exe, 00000011.00000003.2205561890.0000000007A88000.00000004.00000020.00020000.00000000.sdmp, RageMP131.exe, 00000011.00000003.2209349772.0000000007A88000.00000004.00000020.00020000.00000000.sdmp, RageMP131.exe, 00000011.00000003.2204892541.0000000007A88000.00000004.00000020.00020000.00000000.sdmp, RageMP131.exe, 00000011.00000003.2343251890.0000000007A88000.00000004.00000020.00020000.00000000.sdmp, RageMP131.exe, 00000011.00000003.2208459725.0000000007A88000.00000004.00000020.00020000.00000000.sdmp, RageMP131.exe, 00000011.00000003.2206158263.0000000007A88000.00000004.00000020.00020000.00000000.sdmp, RageMP131.exe, 00000011.00000003.2204206244.0000000007A88000.00000004.00000020.00020000.00000000.sdmp, RageMP131.exe, 0000001A.00000003.2600149129.0000000007A92000.00000004.00000020.00020000.00000000.sdmp, RageMP131.exe, 0000001A.00000002.2604583006.0000000007A92000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://www.mozilla.org/en-US/privacy/firefox/
                          Source: file.exe, 00000000.00000003.2074032515.0000000007A6D000.00000004.00000020.00020000.00000000.sdmp, file.exe, 00000000.00000003.2075009905.0000000007A6D000.00000004.00000020.00020000.00000000.sdmp, file.exe, 00000000.00000003.2072588247.0000000007A6D000.00000004.00000020.00020000.00000000.sdmp, file.exe, 00000000.00000002.2258287784.0000000007A6D000.00000004.00000020.00020000.00000000.sdmp, file.exe, 00000000.00000003.2070998670.0000000007A6D000.00000004.00000020.00020000.00000000.sdmp, file.exe, 00000000.00000003.2073084064.0000000007A6D000.00000004.00000020.00020000.00000000.sdmp, file.exe, 00000000.00000003.2076462071.0000000007A6D000.00000004.00000020.00020000.00000000.sdmp, file.exe, 00000000.00000003.2078211008.0000000007A6D000.00000004.00000020.00020000.00000000.sdmp, file.exe, 00000000.00000003.2069734712.0000000007A6D000.00000004.00000020.00020000.00000000.sdmp, RageMP131.exe, 00000011.00000003.2206916968.0000000007A88000.00000004.00000020.00020000.00000000.sdmp, RageMP131.exe, 00000011.00000003.2203998016.0000000007A88000.00000004.00000020.00020000.00000000.sdmp, RageMP131.exe, 00000011.00000003.2207361950.0000000007A88000.00000004.00000020.00020000.00000000.sdmp, RageMP131.exe, 00000011.00000003.2209672095.0000000007A88000.00000004.00000020.00020000.00000000.sdmp, RageMP131.exe, 00000011.00000003.2205935807.0000000007A88000.00000004.00000020.00020000.00000000.sdmp, RageMP131.exe, 00000011.00000003.2204462762.0000000007A88000.00000004.00000020.00020000.00000000.sdmp, RageMP131.exe, 00000011.00000003.2207840188.0000000007A88000.00000004.00000020.00020000.00000000.sdmp, RageMP131.exe, 00000011.00000002.2353080317.0000000007A88000.00000004.00000020.00020000.00000000.sdmp, RageMP131.exe, 00000011.00000003.2205561890.0000000007A88000.00000004.00000020.00020000.00000000.sdmp, RageMP131.exe, 00000011.00000003.2209349772.0000000007A88000.00000004.00000020.00020000.00000000.sdmp, RageMP131.exe, 00000011.00000003.2204892541.0000000007A88000.00000004.00000020.00020000.00000000.sdmp, RageMP131.exe, 00000011.00000003.2343251890.0000000007A88000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://www.mozilla.org/en-US/privacy/firefox/Firefox
                          Source: RageMP131.exe, 0000001A.00000003.2600149129.0000000007A92000.00000004.00000020.00020000.00000000.sdmp, RageMP131.exe, 0000001A.00000002.2604583006.0000000007A92000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://www.mozilla.org/en-US/privacy/firefox/O
                          Source: file.exe, 00000000.00000002.2258233237.0000000007A40000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://www.mozilla.org/en-US/privacy/firefox/n
                          Source: D87fZN3R3jFeplaces.sqlite.0.drString found in binary or memory: https://www.mozilla.org/firefox/?utm_medium=firefox-desktop&utm_source=bookmarks-toolbar&utm_campaig
                          Source: file.exe, 00000000.00000003.2072010146.00000000030B6000.00000004.00000020.00020000.00000000.sdmp, file.exe, 00000000.00000002.2256177341.00000000030B6000.00000004.00000020.00020000.00000000.sdmp, file.exe, 00000000.00000003.2068786897.00000000030B6000.00000004.00000020.00020000.00000000.sdmp, file.exe, 00000000.00000002.2258233237.0000000007A40000.00000004.00000020.00020000.00000000.sdmp, RageMP131.exe, 00000011.00000003.2206916968.0000000007A88000.00000004.00000020.00020000.00000000.sdmp, RageMP131.exe, 00000011.00000003.2203998016.0000000007A88000.00000004.00000020.00020000.00000000.sdmp, RageMP131.exe, 00000011.00000002.2348884384.0000000002FCC000.00000004.00000020.00020000.00000000.sdmp, RageMP131.exe, 00000011.00000003.2207361950.0000000007A88000.00000004.00000020.00020000.00000000.sdmp, RageMP131.exe, 00000011.00000003.2209672095.0000000007A88000.00000004.00000020.00020000.00000000.sdmp, RageMP131.exe, 00000011.00000003.2205935807.0000000007A88000.00000004.00000020.00020000.00000000.sdmp, RageMP131.exe, 00000011.00000003.2204462762.0000000007A88000.00000004.00000020.00020000.00000000.sdmp, RageMP131.exe, 00000011.00000003.2207840188.0000000007A88000.00000004.00000020.00020000.00000000.sdmp, RageMP131.exe, 00000011.00000002.2353080317.0000000007A88000.00000004.00000020.00020000.00000000.sdmp, RageMP131.exe, 00000011.00000003.2205561890.0000000007A88000.00000004.00000020.00020000.00000000.sdmp, RageMP131.exe, 00000011.00000003.2209349772.0000000007A88000.00000004.00000020.00020000.00000000.sdmp, RageMP131.exe, 00000011.00000003.2204892541.0000000007A88000.00000004.00000020.00020000.00000000.sdmp, RageMP131.exe, 00000011.00000003.2343251890.0000000007A88000.00000004.00000020.00020000.00000000.sdmp, RageMP131.exe, 00000011.00000003.2208459725.0000000007A88000.00000004.00000020.00020000.00000000.sdmp, RageMP131.exe, 00000011.00000003.2206158263.0000000007A88000.00000004.00000020.00020000.00000000.sdmp, RageMP131.exe, 00000011.00000003.2204206244.0000000007A88000.00000004.00000020.00020000.00000000.sdmp, RageMP131.exe, 0000001A.00000003.2600149129.0000000007A92000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://www.mozilla.org/privacy/firefox/
                          Source: RageMP131.exe, 00000011.00000002.2348884384.0000000002FCC000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://www.mozilla.org/privacy/firefox/6)
                          Source: file.exe, 00000000.00000003.2072010146.00000000030B6000.00000004.00000020.00020000.00000000.sdmp, file.exe, 00000000.00000002.2256177341.00000000030B6000.00000004.00000020.00020000.00000000.sdmp, file.exe, 00000000.00000003.2068786897.00000000030B6000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://www.mozilla.org/privacy/firefox/ata
                          Source: RageMP131.exe, 00000011.00000003.2206916968.0000000007A88000.00000004.00000020.00020000.00000000.sdmp, RageMP131.exe, 00000011.00000003.2203998016.0000000007A88000.00000004.00000020.00020000.00000000.sdmp, RageMP131.exe, 00000011.00000003.2207361950.0000000007A88000.00000004.00000020.00020000.00000000.sdmp, RageMP131.exe, 00000011.00000003.2209672095.0000000007A88000.00000004.00000020.00020000.00000000.sdmp, RageMP131.exe, 00000011.00000003.2205935807.0000000007A88000.00000004.00000020.00020000.00000000.sdmp, RageMP131.exe, 00000011.00000003.2204462762.0000000007A88000.00000004.00000020.00020000.00000000.sdmp, RageMP131.exe, 00000011.00000003.2207840188.0000000007A88000.00000004.00000020.00020000.00000000.sdmp, RageMP131.exe, 00000011.00000002.2353080317.0000000007A88000.00000004.00000020.00020000.00000000.sdmp, RageMP131.exe, 00000011.00000003.2205561890.0000000007A88000.00000004.00000020.00020000.00000000.sdmp, RageMP131.exe, 00000011.00000003.2209349772.0000000007A88000.00000004.00000020.00020000.00000000.sdmp, RageMP131.exe, 00000011.00000003.2204892541.0000000007A88000.00000004.00000020.00020000.00000000.sdmp, RageMP131.exe, 00000011.00000003.2343251890.0000000007A88000.00000004.00000020.00020000.00000000.sdmp, RageMP131.exe, 00000011.00000003.2208459725.0000000007A88000.00000004.00000020.00020000.00000000.sdmp, RageMP131.exe, 00000011.00000003.2206158263.0000000007A88000.00000004.00000020.00020000.00000000.sdmp, RageMP131.exe, 00000011.00000003.2204206244.0000000007A88000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://www.mozilla.org/privacy/firefox/efox/
                          Source: file.exe, 00000000.00000003.2074032515.0000000007A6D000.00000004.00000020.00020000.00000000.sdmp, file.exe, 00000000.00000003.2075009905.0000000007A6D000.00000004.00000020.00020000.00000000.sdmp, file.exe, 00000000.00000003.2072588247.0000000007A6D000.00000004.00000020.00020000.00000000.sdmp, file.exe, 00000000.00000002.2258287784.0000000007A6D000.00000004.00000020.00020000.00000000.sdmp, file.exe, 00000000.00000003.2070998670.0000000007A6D000.00000004.00000020.00020000.00000000.sdmp, file.exe, 00000000.00000003.2073084064.0000000007A6D000.00000004.00000020.00020000.00000000.sdmp, file.exe, 00000000.00000003.2076462071.0000000007A6D000.00000004.00000020.00020000.00000000.sdmp, file.exe, 00000000.00000003.2078211008.0000000007A6D000.00000004.00000020.00020000.00000000.sdmp, file.exe, 00000000.00000003.2069734712.0000000007A6D000.00000004.00000020.00020000.00000000.sdmp, RageMP131.exe, 00000011.00000003.2206916968.0000000007A88000.00000004.00000020.00020000.00000000.sdmp, RageMP131.exe, 00000011.00000003.2203998016.0000000007A88000.00000004.00000020.00020000.00000000.sdmp, RageMP131.exe, 00000011.00000003.2207361950.0000000007A88000.00000004.00000020.00020000.00000000.sdmp, RageMP131.exe, 00000011.00000003.2209672095.0000000007A88000.00000004.00000020.00020000.00000000.sdmp, RageMP131.exe, 00000011.00000003.2205935807.0000000007A88000.00000004.00000020.00020000.00000000.sdmp, RageMP131.exe, 00000011.00000003.2204462762.0000000007A88000.00000004.00000020.00020000.00000000.sdmp, RageMP131.exe, 00000011.00000003.2207840188.0000000007A88000.00000004.00000020.00020000.00000000.sdmp, RageMP131.exe, 00000011.00000002.2353080317.0000000007A88000.00000004.00000020.00020000.00000000.sdmp, RageMP131.exe, 00000011.00000003.2205561890.0000000007A88000.00000004.00000020.00020000.00000000.sdmp, RageMP131.exe, 00000011.00000003.2209349772.0000000007A88000.00000004.00000020.00020000.00000000.sdmp, RageMP131.exe, 00000011.00000003.2204892541.0000000007A88000.00000004.00000020.00020000.00000000.sdmp, RageMP131.exe, 00000011.00000003.2343251890.0000000007A88000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://www.mozilla.org/privacy/firefox/gro.allizom.www.
                          Source: RageMP131.exe, 00000011.00000002.2353080317.0000000007A88000.00000004.00000020.00020000.00000000.sdmp, RageMP131.exe, 00000011.00000003.2343251890.0000000007A88000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://www.mozilla.org/privacy/firefox/inata
                          Source: RageMP131.exe, 0000001A.00000003.2600250501.0000000002FC6000.00000004.00000020.00020000.00000000.sdmp, RageMP131.exe, 0000001A.00000002.2603079344.0000000002FC6000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://www.mozilla.org/privacy/firefox/refox
                          Source: file.exe, 00000000.00000002.2258233237.0000000007A40000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://www.mozilla.org/privacy/firefox/y.jaxxZs
                          Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49744
                          Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49743
                          Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49742
                          Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49741
                          Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49751
                          Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49750
                          Source: unknownNetwork traffic detected: HTTP traffic on port 49741 -> 443
                          Source: unknownNetwork traffic detected: HTTP traffic on port 49742 -> 443
                          Source: unknownNetwork traffic detected: HTTP traffic on port 49748 -> 443
                          Source: unknownNetwork traffic detected: HTTP traffic on port 49743 -> 443
                          Source: unknownNetwork traffic detected: HTTP traffic on port 49749 -> 443
                          Source: unknownNetwork traffic detected: HTTP traffic on port 49744 -> 443
                          Source: unknownNetwork traffic detected: HTTP traffic on port 49751 -> 443
                          Source: unknownNetwork traffic detected: HTTP traffic on port 49750 -> 443
                          Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49738
                          Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49749
                          Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49737
                          Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49748
                          Source: unknownNetwork traffic detected: HTTP traffic on port 49737 -> 443
                          Source: unknownNetwork traffic detected: HTTP traffic on port 49738 -> 443
                          Source: unknownHTTPS traffic detected: 34.117.186.192:443 -> 192.168.2.4:49737 version: TLS 1.2
                          Source: unknownHTTPS traffic detected: 104.26.4.15:443 -> 192.168.2.4:49738 version: TLS 1.2
                          Source: unknownHTTPS traffic detected: 34.117.186.192:443 -> 192.168.2.4:49741 version: TLS 1.2
                          Source: unknownHTTPS traffic detected: 104.26.4.15:443 -> 192.168.2.4:49742 version: TLS 1.2
                          Source: unknownHTTPS traffic detected: 34.117.186.192:443 -> 192.168.2.4:49743 version: TLS 1.2
                          Source: unknownHTTPS traffic detected: 104.26.4.15:443 -> 192.168.2.4:49744 version: TLS 1.2
                          Source: unknownHTTPS traffic detected: 34.117.186.192:443 -> 192.168.2.4:49748 version: TLS 1.2
                          Source: unknownHTTPS traffic detected: 34.117.186.192:443 -> 192.168.2.4:49749 version: TLS 1.2
                          Source: unknownHTTPS traffic detected: 104.26.4.15:443 -> 192.168.2.4:49750 version: TLS 1.2
                          Source: unknownHTTPS traffic detected: 104.26.4.15:443 -> 192.168.2.4:49751 version: TLS 1.2

                          System Summary

                          barindex
                          Malicious sample detected (through community Yara rule)
                          Source: 00000011.00000002.2350759257.0000000004A1C000.00000040.00000020.00020000.00000000.sdmp, type: MEMORYMatched rule: Windows_Trojan_RedLineStealer_ed346e4c Author: unknown
                          Source: 00000008.00000002.2555613641.0000000004900000.00000040.00001000.00020000.00000000.sdmp, type: MEMORYMatched rule: Windows_Trojan_Smokeloader_3687686f Author: unknown
                          Source: 00000000.00000002.2256109726.0000000002F51000.00000040.00000020.00020000.00000000.sdmp, type: MEMORYMatched rule: Windows_Trojan_RedLineStealer_ed346e4c Author: unknown
                          Source: 00000011.00000002.2351210254.0000000004AD0000.00000040.00001000.00020000.00000000.sdmp, type: MEMORYMatched rule: Windows_Trojan_Smokeloader_3687686f Author: unknown
                          Source: 00000009.00000002.2555380044.0000000002FCE000.00000040.00000020.00020000.00000000.sdmp, type: MEMORYMatched rule: Windows_Trojan_RedLineStealer_ed346e4c Author: unknown
                          Source: 0000001A.00000002.2603730581.0000000004A22000.00000040.00000020.00020000.00000000.sdmp, type: MEMORYMatched rule: Windows_Trojan_RedLineStealer_ed346e4c Author: unknown
                          Source: 00000008.00000002.2554245395.0000000002F65000.00000040.00000020.00020000.00000000.sdmp, type: MEMORYMatched rule: Windows_Trojan_RedLineStealer_ed346e4c Author: unknown
                          Source: 00000009.00000002.2555618433.00000000048B0000.00000040.00001000.00020000.00000000.sdmp, type: MEMORYMatched rule: Windows_Trojan_Smokeloader_3687686f Author: unknown
                          Source: 00000000.00000002.2257395722.0000000004AC0000.00000040.00001000.00020000.00000000.sdmp, type: MEMORYMatched rule: Windows_Trojan_Smokeloader_3687686f Author: unknown
                          Source: 0000001A.00000002.2603802110.0000000004AE0000.00000040.00001000.00020000.00000000.sdmp, type: MEMORYMatched rule: Windows_Trojan_Smokeloader_3687686f Author: unknown
                          Source: C:\Users\user\Desktop\file.exeCode function: 0_2_004460200_2_00446020
                          Source: C:\Users\user\Desktop\file.exeCode function: 0_2_004281800_2_00428180
                          Source: C:\Users\user\Desktop\file.exeCode function: 0_2_004964500_2_00496450
                          Source: C:\Users\user\Desktop\file.exeCode function: 0_2_004064300_2_00406430
                          Source: C:\Users\user\Desktop\file.exeCode function: 0_2_004224D90_2_004224D9
                          Source: C:\Users\user\Desktop\file.exeCode function: 0_2_0040C4900_2_0040C490
                          Source: C:\Users\user\Desktop\file.exeCode function: 0_2_0045A4900_2_0045A490
                          Source: C:\Users\user\Desktop\file.exeCode function: 0_2_004564A00_2_004564A0
                          Source: C:\Users\user\Desktop\file.exeCode function: 0_2_0048C5600_2_0048C560
                          Source: C:\Users\user\Desktop\file.exeCode function: 0_2_004585200_2_00458520
                          Source: C:\Users\user\Desktop\file.exeCode function: 0_2_004387700_2_00438770
                          Source: C:\Users\user\Desktop\file.exeCode function: 0_2_004247300_2_00424730
                          Source: C:\Users\user\Desktop\file.exeCode function: 0_2_0040E7B00_2_0040E7B0
                          Source: C:\Users\user\Desktop\file.exeCode function: 0_2_0043C8000_2_0043C800
                          Source: C:\Users\user\Desktop\file.exeCode function: 0_2_0044A8F00_2_0044A8F0
                          Source: C:\Users\user\Desktop\file.exeCode function: 0_2_004429400_2_00442940
                          Source: C:\Users\user\Desktop\file.exeCode function: 0_2_0042C9800_2_0042C980
                          Source: C:\Users\user\Desktop\file.exeCode function: 0_2_0043CA900_2_0043CA90
                          Source: C:\Users\user\Desktop\file.exeCode function: 0_2_0045EA9C0_2_0045EA9C
                          Source: C:\Users\user\Desktop\file.exeCode function: 0_2_00434B200_2_00434B20
                          Source: C:\Users\user\Desktop\file.exeCode function: 0_2_0042EB900_2_0042EB90
                          Source: C:\Users\user\Desktop\file.exeCode function: 0_2_0045CC400_2_0045CC40
                          Source: C:\Users\user\Desktop\file.exeCode function: 0_2_00440C100_2_00440C10
                          Source: C:\Users\user\Desktop\file.exeCode function: 0_2_0040CD500_2_0040CD50
                          Source: C:\Users\user\Desktop\file.exeCode function: 0_2_004E925D0_2_004E925D
                          Source: C:\Users\user\Desktop\file.exeCode function: 0_2_0048D2500_2_0048D250
                          Source: C:\Users\user\Desktop\file.exeCode function: 0_2_004CB3C00_2_004CB3C0
                          Source: C:\Users\user\Desktop\file.exeCode function: 0_2_004314300_2_00431430
                          Source: C:\Users\user\Desktop\file.exeCode function: 0_2_0045B4B00_2_0045B4B0
                          Source: C:\Users\user\Desktop\file.exeCode function: 0_2_0043B65D0_2_0043B65D
                          Source: C:\Users\user\Desktop\file.exeCode function: 0_2_004236700_2_00423670
                          Source: C:\Users\user\Desktop\file.exeCode function: 0_2_0042B6700_2_0042B670
                          Source: C:\Users\user\Desktop\file.exeCode function: 0_2_004176B00_2_004176B0
                          Source: C:\Users\user\Desktop\file.exeCode function: 0_2_0043B7500_2_0043B750
                          Source: C:\Users\user\Desktop\file.exeCode function: 0_2_004378A00_2_004378A0
                          Source: C:\Users\user\Desktop\file.exeCode function: 0_2_00431BE00_2_00431BE0
                          Source: C:\Users\user\Desktop\file.exeCode function: 0_2_0045DDE50_2_0045DDE5
                          Source: C:\Users\user\Desktop\file.exeCode function: 0_2_0041FF090_2_0041FF09
                          Source: C:\Users\user\Desktop\file.exeCode function: 0_2_0040BFC00_2_0040BFC0
                          Source: C:\Users\user\Desktop\file.exeCode function: 0_2_0048BFB00_2_0048BFB0
                          Source: C:\Users\user\Desktop\file.exeCode function: 0_2_0048E0400_2_0048E040
                          Source: C:\Users\user\Desktop\file.exeCode function: 0_2_0044C1600_2_0044C160
                          Source: C:\Users\user\Desktop\file.exeCode function: 0_2_0049A1600_2_0049A160
                          Source: C:\Users\user\Desktop\file.exeCode function: 0_2_004901000_2_00490100
                          Source: C:\Users\user\Desktop\file.exeCode function: 0_2_004D02E00_2_004D02E0
                          Source: C:\Users\user\Desktop\file.exeCode function: 0_2_004202AA0_2_004202AA
                          Source: C:\Users\user\Desktop\file.exeCode function: 0_2_0048E35B0_2_0048E35B
                          Source: C:\Users\user\Desktop\file.exeCode function: 0_2_004223600_2_00422360
                          Source: C:\Users\user\Desktop\file.exeCode function: 0_2_004D43100_2_004D4310
                          Source: C:\Users\user\Desktop\file.exeCode function: 0_2_004E03D00_2_004E03D0
                          Source: C:\Users\user\Desktop\file.exeCode function: 0_2_004024100_2_00402410
                          Source: C:\Users\user\Desktop\file.exeCode function: 0_2_004944E00_2_004944E0
                          Source: C:\Users\user\Desktop\file.exeCode function: 0_2_004164900_2_00416490
                          Source: C:\Users\user\Desktop\file.exeCode function: 0_2_004026000_2_00402600
                          Source: C:\Users\user\Desktop\file.exeCode function: 0_2_004846200_2_00484620
                          Source: C:\Users\user\Desktop\file.exeCode function: 0_2_004228520_2_00422852
                          Source: C:\Users\user\Desktop\file.exeCode function: 0_2_004908600_2_00490860
                          Source: C:\Users\user\Desktop\file.exeCode function: 0_2_0043EAEB0_2_0043EAEB
                          Source: C:\Users\user\Desktop\file.exeCode function: 0_2_004D2A900_2_004D2A90
                          Source: C:\Users\user\Desktop\file.exeCode function: 0_2_00486AA00_2_00486AA0
                          Source: C:\Users\user\Desktop\file.exeCode function: 0_2_004D0B300_2_004D0B30
                          Source: C:\Users\user\Desktop\file.exeCode function: 0_2_0044EB900_2_0044EB90
                          Source: C:\Users\user\Desktop\file.exeCode function: 0_2_004F6CC50_2_004F6CC5
                          Source: C:\Users\user\Desktop\file.exeCode function: 0_2_0048ECA20_2_0048ECA2
                          Source: C:\Users\user\Desktop\file.exeCode function: 0_2_0048CD800_2_0048CD80
                          Source: C:\Users\user\Desktop\file.exeCode function: 0_2_00490E400_2_00490E40
                          Source: C:\Users\user\Desktop\file.exeCode function: 0_2_0049EE700_2_0049EE70
                          Source: C:\Users\user\Desktop\file.exeCode function: 0_2_0049AE200_2_0049AE20
                          Source: C:\Users\user\Desktop\file.exeCode function: 0_2_00414ED00_2_00414ED0
                          Source: C:\Users\user\Desktop\file.exeCode function: 0_2_00418EE00_2_00418EE0
                          Source: C:\Users\user\Desktop\file.exeCode function: 0_2_00482FE00_2_00482FE0
                          Source: C:\Users\user\Desktop\file.exeCode function: 0_2_00440FF50_2_00440FF5
                          Source: C:\Users\user\Desktop\file.exeCode function: 0_2_0048D0200_2_0048D020
                          Source: C:\Users\user\Desktop\file.exeCode function: 0_2_004CD0800_2_004CD080
                          Source: C:\ProgramData\MPGPH131\MPGPH131.exeCode function: 8_2_0040C4908_2_0040C490
                          Source: C:\ProgramData\MPGPH131\MPGPH131.exeCode function: 8_2_0045EA9C8_2_0045EA9C
                          Source: C:\ProgramData\MPGPH131\MPGPH131.exeCode function: 8_2_004176B08_2_004176B0
                          Source: C:\ProgramData\MPGPH131\MPGPH131.exeCode function: 8_2_0045DDE58_2_0045DDE5
                          Source: C:\ProgramData\MPGPH131\MPGPH131.exeCode function: 8_2_0040BFC08_2_0040BFC0
                          Source: C:\ProgramData\MPGPH131\MPGPH131.exeCode function: 8_2_004460208_2_00446020
                          Source: C:\ProgramData\MPGPH131\MPGPH131.exeCode function: 8_2_0044C1608_2_0044C160
                          Source: C:\ProgramData\MPGPH131\MPGPH131.exeCode function: 8_2_0049A1608_2_0049A160
                          Source: C:\ProgramData\MPGPH131\MPGPH131.exeCode function: 8_2_004901008_2_00490100
                          Source: C:\ProgramData\MPGPH131\MPGPH131.exeCode function: 8_2_004281808_2_00428180
                          Source: C:\ProgramData\MPGPH131\MPGPH131.exeCode function: 8_2_004D02E08_2_004D02E0
                          Source: C:\ProgramData\MPGPH131\MPGPH131.exeCode function: 8_2_004202AA8_2_004202AA
                          Source: C:\ProgramData\MPGPH131\MPGPH131.exeCode function: 8_2_004223608_2_00422360
                          Source: C:\ProgramData\MPGPH131\MPGPH131.exeCode function: 8_2_004D43108_2_004D4310
                          Source: C:\ProgramData\MPGPH131\MPGPH131.exeCode function: 8_2_004E03D08_2_004E03D0
                          Source: C:\ProgramData\MPGPH131\MPGPH131.exeCode function: 8_2_004964508_2_00496450
                          Source: C:\ProgramData\MPGPH131\MPGPH131.exeCode function: 8_2_004024108_2_00402410
                          Source: C:\ProgramData\MPGPH131\MPGPH131.exeCode function: 8_2_004064308_2_00406430
                          Source: C:\ProgramData\MPGPH131\MPGPH131.exeCode function: 8_2_004224D98_2_004224D9
                          Source: C:\ProgramData\MPGPH131\MPGPH131.exeCode function: 8_2_004944E08_2_004944E0
                          Source: C:\ProgramData\MPGPH131\MPGPH131.exeCode function: 8_2_004164908_2_00416490
                          Source: C:\ProgramData\MPGPH131\MPGPH131.exeCode function: 8_2_0045A4908_2_0045A490
                          Source: C:\ProgramData\MPGPH131\MPGPH131.exeCode function: 8_2_004564A08_2_004564A0
                          Source: C:\ProgramData\MPGPH131\MPGPH131.exeCode function: 8_2_0048C5608_2_0048C560
                          Source: C:\ProgramData\MPGPH131\MPGPH131.exeCode function: 8_2_004585208_2_00458520
                          Source: C:\ProgramData\MPGPH131\MPGPH131.exeCode function: 8_2_004026008_2_00402600
                          Source: C:\ProgramData\MPGPH131\MPGPH131.exeCode function: 8_2_004846208_2_00484620
                          Source: C:\ProgramData\MPGPH131\MPGPH131.exeCode function: 8_2_004387708_2_00438770
                          Source: C:\ProgramData\MPGPH131\MPGPH131.exeCode function: 8_2_004247308_2_00424730
                          Source: C:\ProgramData\MPGPH131\MPGPH131.exeCode function: 8_2_0040E7B08_2_0040E7B0
                          Source: C:\ProgramData\MPGPH131\MPGPH131.exeCode function: 8_2_004228528_2_00422852
                          Source: C:\ProgramData\MPGPH131\MPGPH131.exeCode function: 8_2_004908608_2_00490860
                          Source: C:\ProgramData\MPGPH131\MPGPH131.exeCode function: 8_2_0043C8008_2_0043C800
                          Source: C:\ProgramData\MPGPH131\MPGPH131.exeCode function: 8_2_0044A8F08_2_0044A8F0
                          Source: C:\ProgramData\MPGPH131\MPGPH131.exeCode function: 8_2_0042C9808_2_0042C980
                          Source: C:\ProgramData\MPGPH131\MPGPH131.exeCode function: 8_2_0043CA908_2_0043CA90
                          Source: C:\ProgramData\MPGPH131\MPGPH131.exeCode function: 8_2_004D2A908_2_004D2A90
                          Source: C:\ProgramData\MPGPH131\MPGPH131.exeCode function: 8_2_00486AA08_2_00486AA0
                          Source: C:\ProgramData\MPGPH131\MPGPH131.exeCode function: 8_2_00434B208_2_00434B20
                          Source: C:\ProgramData\MPGPH131\MPGPH131.exeCode function: 8_2_004D0B308_2_004D0B30
                          Source: C:\ProgramData\MPGPH131\MPGPH131.exeCode function: 8_2_0042EB908_2_0042EB90
                          Source: C:\ProgramData\MPGPH131\MPGPH131.exeCode function: 8_2_0044EB908_2_0044EB90
                          Source: C:\ProgramData\MPGPH131\MPGPH131.exeCode function: 8_2_0045CC408_2_0045CC40
                          Source: C:\ProgramData\MPGPH131\MPGPH131.exeCode function: 8_2_00440C108_2_00440C10
                          Source: C:\ProgramData\MPGPH131\MPGPH131.exeCode function: 8_2_004F6CC58_2_004F6CC5
                          Source: C:\ProgramData\MPGPH131\MPGPH131.exeCode function: 8_2_0040CD508_2_0040CD50
                          Source: C:\ProgramData\MPGPH131\MPGPH131.exeCode function: 8_2_0048CD808_2_0048CD80
                          Source: C:\ProgramData\MPGPH131\MPGPH131.exeCode function: 8_2_00490E408_2_00490E40
                          Source: C:\ProgramData\MPGPH131\MPGPH131.exeCode function: 8_2_0049EE708_2_0049EE70
                          Source: C:\ProgramData\MPGPH131\MPGPH131.exeCode function: 8_2_0049AE208_2_0049AE20
                          Source: C:\ProgramData\MPGPH131\MPGPH131.exeCode function: 8_2_00414ED08_2_00414ED0
                          Source: C:\ProgramData\MPGPH131\MPGPH131.exeCode function: 8_2_00418EE08_2_00418EE0
                          Source: C:\ProgramData\MPGPH131\MPGPH131.exeCode function: 8_2_00482FE08_2_00482FE0
                          Source: C:\ProgramData\MPGPH131\MPGPH131.exeCode function: 8_2_00440FF58_2_00440FF5
                          Source: C:\ProgramData\MPGPH131\MPGPH131.exeCode function: 8_2_0048D0208_2_0048D020
                          Source: C:\ProgramData\MPGPH131\MPGPH131.exeCode function: 8_2_004CD0808_2_004CD080
                          Source: C:\ProgramData\MPGPH131\MPGPH131.exeCode function: 8_2_004E925D8_2_004E925D
                          Source: C:\ProgramData\MPGPH131\MPGPH131.exeCode function: 8_2_004872708_2_00487270
                          Source: C:\ProgramData\MPGPH131\MPGPH131.exeCode function: 8_2_0048D35B8_2_0048D35B
                          Source: C:\ProgramData\MPGPH131\MPGPH131.exeCode function: 8_2_0047F3608_2_0047F360
                          Source: C:\ProgramData\MPGPH131\MPGPH131.exeCode function: 8_2_004CB3C08_2_004CB3C0
                          Source: C:\ProgramData\MPGPH131\MPGPH131.exeCode function: 8_2_004834708_2_00483470
                          Source: C:\ProgramData\MPGPH131\MPGPH131.exeCode function: 8_2_004314308_2_00431430
                          Source: C:\ProgramData\MPGPH131\MPGPH131.exeCode function: 8_2_0048B4F08_2_0048B4F0
                          Source: C:\ProgramData\MPGPH131\MPGPH131.exeCode function: 8_2_0045B4B08_2_0045B4B0
                          Source: C:\ProgramData\MPGPH131\MPGPH131.exeCode function: 8_2_004E959F8_2_004E959F
                          Source: C:\ProgramData\MPGPH131\MPGPH131.exeCode function: 8_2_0043B65D8_2_0043B65D
                          Source: C:\ProgramData\MPGPH131\MPGPH131.exeCode function: 8_2_004236708_2_00423670
                          Source: C:\ProgramData\MPGPH131\MPGPH131.exeCode function: 8_2_0042B6708_2_0042B670
                          Source: C:\ProgramData\MPGPH131\MPGPH131.exeCode function: 8_2_004A36EE8_2_004A36EE
                          Source: C:\ProgramData\MPGPH131\MPGPH131.exeCode function: 8_2_004337408_2_00433740
                          Source: C:\ProgramData\MPGPH131\MPGPH131.exeCode function: 8_2_0043B7508_2_0043B750
                          Source: C:\ProgramData\MPGPH131\MPGPH131.exeCode function: 8_2_004897208_2_00489720
                          Source: C:\ProgramData\MPGPH131\MPGPH131.exeCode function: 8_2_0048F7B08_2_0048F7B0
                          Source: C:\Users\user\Desktop\file.exeCode function: String function: 004DD5B0 appears 40 times
                          Source: C:\Users\user\Desktop\file.exeCode function: String function: 00402D00 appears 39 times
                          Source: C:\Users\user\Desktop\file.exeCode function: String function: 0046A190 appears 94 times
                          Source: C:\Users\user\Desktop\file.exeCode function: String function: 0048FE50 appears 51 times
                          Source: C:\Users\user\Desktop\file.exeCode function: String function: 00469F00 appears 49 times
                          Source: C:\ProgramData\MPGPH131\MPGPH131.exeCode function: String function: 004DD5B0 appears 43 times
                          Source: C:\ProgramData\MPGPH131\MPGPH131.exeCode function: String function: 0048FE50 appears 69 times
                          Source: C:\ProgramData\MPGPH131\MPGPH131.exeCode function: String function: 00469F00 appears 48 times
                          Source: C:\ProgramData\MPGPH131\MPGPH131.exeCode function: String function: 00402D00 appears 36 times
                          Source: C:\ProgramData\MPGPH131\MPGPH131.exeCode function: String function: 0046A190 appears 91 times
                          Source: C:\Users\user\Desktop\file.exeProcess created: C:\Windows\SysWOW64\WerFault.exe C:\Windows\SysWOW64\WerFault.exe -u -p 7328 -s 784
                          Source: file.exeBinary or memory string: OriginalFilename vs file.exe
                          Source: file.exe, 00000000.00000003.1698876622.0000000004C20000.00000004.00001000.00020000.00000000.sdmpBinary or memory string: OriginalFilenamewpa.dll( vs file.exe
                          Source: file.exe, 00000000.00000003.1742232486.0000000003093000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: OriginalFilenameFires0 vs file.exe
                          Source: file.exe, 00000000.00000002.2254819923.0000000000400000.00000040.00000001.01000000.00000003.sdmpBinary or memory string: OriginalFilenamewpa.dll( vs file.exe
                          Source: file.exe, 00000000.00000000.1643190552.0000000002DBA000.00000002.00000001.01000000.00000003.sdmpBinary or memory string: OriginalFilenameFires0 vs file.exe
                          Source: file.exe, 00000000.00000002.2257395722.0000000004AC0000.00000040.00001000.00020000.00000000.sdmpBinary or memory string: OriginalFilenamewpa.dll( vs file.exe
                          Source: file.exeBinary or memory string: OriginalFilenameFires0 vs file.exe
                          Source: file.exeStatic PE information: RELOCS_STRIPPED, EXECUTABLE_IMAGE, 32BIT_MACHINE
                          Source: 00000011.00000002.2350759257.0000000004A1C000.00000040.00000020.00020000.00000000.sdmp, type: MEMORYMatched rule: Windows_Trojan_RedLineStealer_ed346e4c reference_sample = a91c1d3965f11509d1c1125210166b824a79650f29ea203983fffb5f8900858c, os = windows, severity = x86, creation_date = 2022-02-17, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.RedLineStealer, fingerprint = 834c13b2e0497787e552bb1318664496d286e7cf57b4661e5e07bf1cffe61b82, id = ed346e4c-7890-41ee-8648-f512682fe20e, last_modified = 2022-04-12
                          Source: 00000008.00000002.2555613641.0000000004900000.00000040.00001000.00020000.00000000.sdmp, type: MEMORYMatched rule: Windows_Trojan_Smokeloader_3687686f reference_sample = 8b3014ecd962a335b246f6c70fc820247e8bdaef98136e464b1fdb824031eef7, os = windows, severity = x86, creation_date = 2021-07-21, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Smokeloader, fingerprint = 0f483f9f79ae29b944825c1987366d7b450312f475845e2242a07674580918bc, id = 3687686f-8fbf-4f09-9afa-612ee65dc86c, last_modified = 2021-08-23
                          Source: 00000000.00000002.2256109726.0000000002F51000.00000040.00000020.00020000.00000000.sdmp, type: MEMORYMatched rule: Windows_Trojan_RedLineStealer_ed346e4c reference_sample = a91c1d3965f11509d1c1125210166b824a79650f29ea203983fffb5f8900858c, os = windows, severity = x86, creation_date = 2022-02-17, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.RedLineStealer, fingerprint = 834c13b2e0497787e552bb1318664496d286e7cf57b4661e5e07bf1cffe61b82, id = ed346e4c-7890-41ee-8648-f512682fe20e, last_modified = 2022-04-12
                          Source: 00000011.00000002.2351210254.0000000004AD0000.00000040.00001000.00020000.00000000.sdmp, type: MEMORYMatched rule: Windows_Trojan_Smokeloader_3687686f reference_sample = 8b3014ecd962a335b246f6c70fc820247e8bdaef98136e464b1fdb824031eef7, os = windows, severity = x86, creation_date = 2021-07-21, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Smokeloader, fingerprint = 0f483f9f79ae29b944825c1987366d7b450312f475845e2242a07674580918bc, id = 3687686f-8fbf-4f09-9afa-612ee65dc86c, last_modified = 2021-08-23
                          Source: 00000009.00000002.2555380044.0000000002FCE000.00000040.00000020.00020000.00000000.sdmp, type: MEMORYMatched rule: Windows_Trojan_RedLineStealer_ed346e4c reference_sample = a91c1d3965f11509d1c1125210166b824a79650f29ea203983fffb5f8900858c, os = windows, severity = x86, creation_date = 2022-02-17, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.RedLineStealer, fingerprint = 834c13b2e0497787e552bb1318664496d286e7cf57b4661e5e07bf1cffe61b82, id = ed346e4c-7890-41ee-8648-f512682fe20e, last_modified = 2022-04-12
                          Source: 0000001A.00000002.2603730581.0000000004A22000.00000040.00000020.00020000.00000000.sdmp, type: MEMORYMatched rule: Windows_Trojan_RedLineStealer_ed346e4c reference_sample = a91c1d3965f11509d1c1125210166b824a79650f29ea203983fffb5f8900858c, os = windows, severity = x86, creation_date = 2022-02-17, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.RedLineStealer, fingerprint = 834c13b2e0497787e552bb1318664496d286e7cf57b4661e5e07bf1cffe61b82, id = ed346e4c-7890-41ee-8648-f512682fe20e, last_modified = 2022-04-12
                          Source: 00000008.00000002.2554245395.0000000002F65000.00000040.00000020.00020000.00000000.sdmp, type: MEMORYMatched rule: Windows_Trojan_RedLineStealer_ed346e4c reference_sample = a91c1d3965f11509d1c1125210166b824a79650f29ea203983fffb5f8900858c, os = windows, severity = x86, creation_date = 2022-02-17, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.RedLineStealer, fingerprint = 834c13b2e0497787e552bb1318664496d286e7cf57b4661e5e07bf1cffe61b82, id = ed346e4c-7890-41ee-8648-f512682fe20e, last_modified = 2022-04-12
                          Source: 00000009.00000002.2555618433.00000000048B0000.00000040.00001000.00020000.00000000.sdmp, type: MEMORYMatched rule: Windows_Trojan_Smokeloader_3687686f reference_sample = 8b3014ecd962a335b246f6c70fc820247e8bdaef98136e464b1fdb824031eef7, os = windows, severity = x86, creation_date = 2021-07-21, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Smokeloader, fingerprint = 0f483f9f79ae29b944825c1987366d7b450312f475845e2242a07674580918bc, id = 3687686f-8fbf-4f09-9afa-612ee65dc86c, last_modified = 2021-08-23
                          Source: 00000000.00000002.2257395722.0000000004AC0000.00000040.00001000.00020000.00000000.sdmp, type: MEMORYMatched rule: Windows_Trojan_Smokeloader_3687686f reference_sample = 8b3014ecd962a335b246f6c70fc820247e8bdaef98136e464b1fdb824031eef7, os = windows, severity = x86, creation_date = 2021-07-21, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Smokeloader, fingerprint = 0f483f9f79ae29b944825c1987366d7b450312f475845e2242a07674580918bc, id = 3687686f-8fbf-4f09-9afa-612ee65dc86c, last_modified = 2021-08-23
                          Source: 0000001A.00000002.2603802110.0000000004AE0000.00000040.00001000.00020000.00000000.sdmp, type: MEMORYMatched rule: Windows_Trojan_Smokeloader_3687686f reference_sample = 8b3014ecd962a335b246f6c70fc820247e8bdaef98136e464b1fdb824031eef7, os = windows, severity = x86, creation_date = 2021-07-21, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Smokeloader, fingerprint = 0f483f9f79ae29b944825c1987366d7b450312f475845e2242a07674580918bc, id = 3687686f-8fbf-4f09-9afa-612ee65dc86c, last_modified = 2021-08-23
                          Source: classification engineClassification label: mal100.troj.spyw.evad.winEXE@25/125@3/3
                          Source: C:\Users\user\Desktop\file.exeCode function: 0_2_00492300 GetLastError,GetVersionExA,FormatMessageW,LocalFree,FormatMessageA,0_2_00492300
                          Source: C:\Users\user\Desktop\file.exeCode function: 0_2_00491D10 CreateFileW,CreateFileA,GetDiskFreeSpaceW,GetDiskFreeSpaceA,0_2_00491D10
                          Source: C:\Users\user\Desktop\file.exeCode function: 0_2_0040CD50 RegOpenKeyExA,RegQueryValueExA,RegCloseKey,GetCurrentHwProfileA,GetModuleHandleExA,GetModuleFileNameA,RegOpenKeyExA,RegQueryValueExA,RegCloseKey,GetComputerNameA,GetUserNameA,GetDesktopWindow,GetWindowRect,GetUserDefaultLocaleName,GetKeyboardLayoutList,GetKeyboardLayoutList,LocalAlloc,GetKeyboardLayoutList,GetLocaleInfoA,LocalFree,GetLocalTime,GetSystemTime,GetTimeZoneInformation,TzSpecificLocalTimeToSystemTime,RegOpenKeyExA,RegQueryValueExA,RegCloseKey,GetSystemInfo,GlobalMemoryStatusEx,EnumDisplayDevicesA,EnumDisplayDevicesA,CreateToolhelp32Snapshot,Process32First,Process32Next,Process32Next,CloseHandle,RegOpenKeyExA,RegEnumKeyExA,wsprintfA,RegOpenKeyExA,RegQueryValueExA,RegQueryValueExA,RegCloseKey,RegCloseKey,0_2_0040CD50
                          Source: C:\Users\user\Desktop\file.exeCode function: 0_2_00446020 CopyFileA,RegOpenKeyExA,RegSetValueExA,RegCloseKey,CopyFileA,GetUserNameA,CopyFileA,SHGetFolderPathA,CoInitialize,CoCreateInstance,MultiByteToWideChar,CoUninitialize,ShellExecuteA,0_2_00446020
                          Source: C:\Users\user\Desktop\file.exeFile created: C:\Users\user\AppData\Local\RageMP131Jump to behavior
                          Source: C:\Windows\System32\conhost.exeMutant created: \Sessions\1\BaseNamedObjects\Local\SM0:7452:120:WilError_03
                          Source: C:\Windows\System32\conhost.exeMutant created: \Sessions\1\BaseNamedObjects\Local\SM0:7404:120:WilError_03
                          Source: C:\Windows\SysWOW64\WerFault.exeMutant created: \Sessions\1\BaseNamedObjects\Local\WERReportingForProcess7328
                          Source: C:\Windows\SysWOW64\WerFault.exeMutant created: \Sessions\1\BaseNamedObjects\Local\WERReportingForProcess7988
                          Source: C:\Users\user\Desktop\file.exeFile created: C:\Users\user\AppData\Local\Temp\rage131MP.tmpJump to behavior
                          Source: file.exeStatic PE information: Section: .text IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ
                          Source: C:\Users\user\Desktop\file.exeFile read: C:\Users\user\AppData\Roaming\Mozilla\Firefox\profiles.iniJump to behavior
                          Source: C:\Users\user\Desktop\file.exeKey opened: HKEY_CURRENT_USER\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiersJump to behavior
                          Source: file.exe, file.exe, 00000000.00000003.1698876622.0000000004C20000.00000004.00001000.00020000.00000000.sdmp, file.exe, 00000000.00000002.2254819923.0000000000400000.00000040.00000001.01000000.00000003.sdmp, file.exe, 00000000.00000002.2257395722.0000000004AC0000.00000040.00001000.00020000.00000000.sdmp, MPGPH131.exe, MPGPH131.exe, 00000008.00000002.2555613641.0000000004900000.00000040.00001000.00020000.00000000.sdmp, MPGPH131.exe, 00000008.00000003.2345569703.0000000004A60000.00000004.00001000.00020000.00000000.sdmp, MPGPH131.exe, 00000008.00000002.2552258510.0000000000400000.00000040.00000001.01000000.00000005.sdmp, MPGPH131.exe, 00000009.00000003.2355371299.0000000004A10000.00000004.00001000.00020000.00000000.sdmp, MPGPH131.exe, 00000009.00000002.2552333219.0000000000400000.00000040.00000001.01000000.00000005.sdmp, MPGPH131.exe, 00000009.00000002.2555618433.00000000048B0000.00000040.00001000.00020000.00000000.sdmp, RageMP131.exe, 00000011.00000002.2351210254.0000000004AD0000.00000040.00001000.00020000.00000000.sdmpBinary or memory string: INSERT INTO %Q.%s VALUES('index',%Q,%Q,#%d,%Q);
                          Source: file.exe, 00000000.00000003.1698876622.0000000004C20000.00000004.00001000.00020000.00000000.sdmp, file.exe, 00000000.00000002.2254819923.0000000000400000.00000040.00000001.01000000.00000003.sdmp, file.exe, 00000000.00000002.2257395722.0000000004AC0000.00000040.00001000.00020000.00000000.sdmp, MPGPH131.exe, 00000008.00000002.2555613641.0000000004900000.00000040.00001000.00020000.00000000.sdmp, MPGPH131.exe, 00000008.00000003.2345569703.0000000004A60000.00000004.00001000.00020000.00000000.sdmp, MPGPH131.exe, 00000008.00000002.2552258510.0000000000400000.00000040.00000001.01000000.00000005.sdmp, MPGPH131.exe, 00000009.00000003.2355371299.0000000004A10000.00000004.00001000.00020000.00000000.sdmp, MPGPH131.exe, 00000009.00000002.2552333219.0000000000400000.00000040.00000001.01000000.00000005.sdmp, MPGPH131.exe, 00000009.00000002.2555618433.00000000048B0000.00000040.00001000.00020000.00000000.sdmp, RageMP131.exe, 00000011.00000002.2351210254.0000000004AD0000.00000040.00001000.00020000.00000000.sdmp, RageMP131.exe, 00000011.00000003.1935064684.0000000004C30000.00000004.00001000.00020000.00000000.sdmpBinary or memory string: UPDATE %Q.%s SET sql = sqlite_rename_table(sql, %Q), tbl_name = %Q, name = CASE WHEN type='table' THEN %Q WHEN name LIKE 'sqlite_autoindex%%' AND type='index' THEN 'sqlite_autoindex_' || %Q || substr(name,%d+18) ELSE name END WHERE tbl_name=%Q AND (type='table' OR type='index' OR type='trigger');
                          Source: RageMP131.exe, 00000011.00000003.2203998016.0000000007A73000.00000004.00000020.00020000.00000000.sdmp, RageMP131.exe, 00000011.00000003.2204462762.0000000007A73000.00000004.00000020.00020000.00000000.sdmp, rzThZlFR926oLogin Data.17.dr, jTDil21rwmscLogin Data For Account.0.dr, MKjdaszvj8XCLogin Data For Account.17.dr, SjNa0HpZUcV6Login Data For Account.26.dr, 2_TMjP6pWvYDLogin Data.0.dr, MGPDw7uupP6KLogin Data.26.drBinary or memory string: CREATE TABLE password_notes (id INTEGER PRIMARY KEY AUTOINCREMENT, parent_id INTEGER NOT NULL REFERENCES logins ON UPDATE CASCADE ON DELETE CASCADE DEFERRABLE INITIALLY DEFERRED, key VARCHAR NOT NULL, value BLOB, date_created INTEGER NOT NULL, confidential INTEGER, UNIQUE (parent_id, key));
                          Source: file.exeReversingLabs: Detection: 47%
                          Source: file.exeString found in binary or memory: https://www.maxmind.com/en/locate-my-ip-address
                          Source: MPGPH131.exeString found in binary or memory: https://www.maxmind.com/en/locate-my-ip-address
                          Source: C:\Users\user\Desktop\file.exeFile read: C:\Users\user\Desktop\file.exeJump to behavior
                          Source: unknownProcess created: C:\Users\user\Desktop\file.exe "C:\Users\user\Desktop\file.exe"
                          Source: C:\Users\user\Desktop\file.exeProcess created: C:\Windows\SysWOW64\schtasks.exe schtasks /create /f /RU "user" /tr "C:\ProgramData\MPGPH131\MPGPH131.exe" /tn "MPGPH131 HR" /sc HOURLY /rl HIGHEST
                          Source: C:\Windows\SysWOW64\schtasks.exeProcess created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                          Source: C:\Users\user\Desktop\file.exeProcess created: C:\Windows\SysWOW64\schtasks.exe schtasks /create /f /RU "user" /tr "C:\ProgramData\MPGPH131\MPGPH131.exe" /tn "MPGPH131 LG" /sc ONLOGON /rl HIGHEST
                          Source: C:\Windows\SysWOW64\schtasks.exeProcess created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                          Source: C:\Users\user\Desktop\file.exeProcess created: C:\Windows\SysWOW64\WerFault.exe C:\Windows\SysWOW64\WerFault.exe -u -p 7328 -s 784
                          Source: unknownProcess created: C:\ProgramData\MPGPH131\MPGPH131.exe C:\ProgramData\MPGPH131\MPGPH131.exe
                          Source: unknownProcess created: C:\ProgramData\MPGPH131\MPGPH131.exe C:\ProgramData\MPGPH131\MPGPH131.exe
                          Source: C:\Users\user\Desktop\file.exeProcess created: C:\Windows\SysWOW64\WerFault.exe C:\Windows\SysWOW64\WerFault.exe -u -p 7328 -s 960
                          Source: C:\Users\user\Desktop\file.exeProcess created: C:\Windows\SysWOW64\WerFault.exe C:\Windows\SysWOW64\WerFault.exe -u -p 7328 -s 1008
                          Source: C:\Users\user\Desktop\file.exeProcess created: C:\Windows\SysWOW64\WerFault.exe C:\Windows\SysWOW64\WerFault.exe -u -p 7328 -s 996
                          Source: unknownProcess created: C:\Users\user\AppData\Local\RageMP131\RageMP131.exe "C:\Users\user\AppData\Local\RageMP131\RageMP131.exe"
                          Source: C:\Users\user\Desktop\file.exeProcess created: C:\Windows\SysWOW64\WerFault.exe C:\Windows\SysWOW64\WerFault.exe -u -p 7328 -s 1020
                          Source: C:\Users\user\Desktop\file.exeProcess created: C:\Windows\SysWOW64\WerFault.exe C:\Windows\SysWOW64\WerFault.exe -u -p 7328 -s 1416
                          Source: C:\Users\user\Desktop\file.exeProcess created: C:\Windows\SysWOW64\WerFault.exe C:\Windows\SysWOW64\WerFault.exe -u -p 7328 -s 1828
                          Source: unknownProcess created: C:\Users\user\AppData\Local\RageMP131\RageMP131.exe "C:\Users\user\AppData\Local\RageMP131\RageMP131.exe"
                          Source: C:\Users\user\Desktop\file.exeProcess created: C:\Windows\SysWOW64\WerFault.exe C:\Windows\SysWOW64\WerFault.exe -u -p 7328 -s 1848
                          Source: C:\Users\user\AppData\Local\RageMP131\RageMP131.exeProcess created: C:\Windows\SysWOW64\WerFault.exe C:\Windows\SysWOW64\WerFault.exe -u -p 7988 -s 820
                          Source: C:\Users\user\Desktop\file.exeProcess created: C:\Windows\SysWOW64\WerFault.exe C:\Windows\SysWOW64\WerFault.exe -u -p 7328 -s 1808
                          Source: C:\Users\user\Desktop\file.exeProcess created: C:\Windows\SysWOW64\WerFault.exe C:\Windows\SysWOW64\WerFault.exe -u -p 7328 -s 1940
                          Source: C:\Users\user\AppData\Local\RageMP131\RageMP131.exeProcess created: C:\Windows\SysWOW64\WerFault.exe C:\Windows\SysWOW64\WerFault.exe -u -p 7988 -s 940
                          Source: C:\Users\user\Desktop\file.exeProcess created: C:\Windows\SysWOW64\WerFault.exe C:\Windows\SysWOW64\WerFault.exe -u -p 7328 -s 1948
                          Source: C:\Users\user\AppData\Local\RageMP131\RageMP131.exeProcess created: C:\Windows\SysWOW64\WerFault.exe C:\Windows\SysWOW64\WerFault.exe -u -p 7988 -s 952
                          Source: C:\Users\user\Desktop\file.exeProcess created: C:\Windows\SysWOW64\schtasks.exe schtasks /create /f /RU "user" /tr "C:\ProgramData\MPGPH131\MPGPH131.exe" /tn "MPGPH131 HR" /sc HOURLY /rl HIGHESTJump to behavior
                          Source: C:\Users\user\Desktop\file.exeProcess created: C:\Windows\SysWOW64\schtasks.exe schtasks /create /f /RU "user" /tr "C:\ProgramData\MPGPH131\MPGPH131.exe" /tn "MPGPH131 LG" /sc ONLOGON /rl HIGHESTJump to behavior
                          Source: C:\Users\user\Desktop\file.exeSection loaded: apphelp.dllJump to behavior
                          Source: C:\Users\user\Desktop\file.exeSection loaded: winhttp.dllJump to behavior
                          Source: C:\Users\user\Desktop\file.exeSection loaded: msimg32.dllJump to behavior
                          Source: C:\Users\user\Desktop\file.exeSection loaded: rstrtmgr.dllJump to behavior
                          Source: C:\Users\user\Desktop\file.exeSection loaded: ncrypt.dllJump to behavior
                          Source: C:\Users\user\Desktop\file.exeSection loaded: ntasn1.dllJump to behavior
                          Source: C:\Users\user\Desktop\file.exeSection loaded: msvcr100.dllJump to behavior
                          Source: C:\Users\user\Desktop\file.exeSection loaded: d3d11.dllJump to behavior
                          Source: C:\Users\user\Desktop\file.exeSection loaded: dxgi.dllJump to behavior
                          Source: C:\Users\user\Desktop\file.exeSection loaded: resourcepolicyclient.dllJump to behavior
                          Source: C:\Users\user\Desktop\file.exeSection loaded: kernel.appcore.dllJump to behavior
                          Source: C:\Users\user\Desktop\file.exeSection loaded: d3d10warp.dllJump to behavior
                          Source: C:\Users\user\Desktop\file.exeSection loaded: uxtheme.dllJump to behavior
                          Source: C:\Users\user\Desktop\file.exeSection loaded: dxcore.dllJump to behavior
                          Source: C:\Users\user\Desktop\file.exeSection loaded: sspicli.dllJump to behavior
                          Source: C:\Users\user\Desktop\file.exeSection loaded: ntmarta.dllJump to behavior
                          Source: C:\Users\user\Desktop\file.exeSection loaded: wininet.dllJump to behavior
                          Source: C:\Users\user\Desktop\file.exeSection loaded: mswsock.dllJump to behavior
                          Source: C:\Users\user\Desktop\file.exeSection loaded: devobj.dllJump to behavior
                          Source: C:\Users\user\Desktop\file.exeSection loaded: ondemandconnroutehelper.dllJump to behavior
                          Source: C:\Users\user\Desktop\file.exeSection loaded: webio.dllJump to behavior
                          Source: C:\Users\user\Desktop\file.exeSection loaded: iphlpapi.dllJump to behavior
                          Source: C:\Users\user\Desktop\file.exeSection loaded: winnsi.dllJump to behavior
                          Source: C:\Users\user\Desktop\file.exeSection loaded: dnsapi.dllJump to behavior
                          Source: C:\Users\user\Desktop\file.exeSection loaded: rasadhlp.dllJump to behavior
                          Source: C:\Users\user\Desktop\file.exeSection loaded: fwpuclnt.dllJump to behavior
                          Source: C:\Users\user\Desktop\file.exeSection loaded: schannel.dllJump to behavior
                          Source: C:\Users\user\Desktop\file.exeSection loaded: mskeyprotect.dllJump to behavior
                          Source: C:\Users\user\Desktop\file.exeSection loaded: ncryptsslp.dllJump to behavior
                          Source: C:\Users\user\Desktop\file.exeSection loaded: msasn1.dllJump to behavior
                          Source: C:\Users\user\Desktop\file.exeSection loaded: cryptsp.dllJump to behavior
                          Source: C:\Users\user\Desktop\file.exeSection loaded: rsaenh.dllJump to behavior
                          Source: C:\Users\user\Desktop\file.exeSection loaded: cryptbase.dllJump to behavior
                          Source: C:\Users\user\Desktop\file.exeSection loaded: gpapi.dllJump to behavior
                          Source: C:\Users\user\Desktop\file.exeSection loaded: vaultcli.dllJump to behavior
                          Source: C:\Users\user\Desktop\file.exeSection loaded: wintypes.dllJump to behavior
                          Source: C:\Users\user\Desktop\file.exeSection loaded: windows.storage.dllJump to behavior
                          Source: C:\Users\user\Desktop\file.exeSection loaded: wldp.dllJump to behavior
                          Source: C:\Users\user\Desktop\file.exeSection loaded: dpapi.dllJump to behavior
                          Source: C:\Windows\SysWOW64\schtasks.exeSection loaded: kernel.appcore.dllJump to behavior
                          Source: C:\Windows\SysWOW64\schtasks.exeSection loaded: taskschd.dllJump to behavior
                          Source: C:\Windows\SysWOW64\schtasks.exeSection loaded: sspicli.dllJump to behavior
                          Source: C:\Windows\SysWOW64\schtasks.exeSection loaded: xmllite.dllJump to behavior
                          Source: C:\Windows\SysWOW64\schtasks.exeSection loaded: kernel.appcore.dllJump to behavior
                          Source: C:\Windows\SysWOW64\schtasks.exeSection loaded: taskschd.dllJump to behavior
                          Source: C:\Windows\SysWOW64\schtasks.exeSection loaded: sspicli.dllJump to behavior
                          Source: C:\Windows\SysWOW64\schtasks.exeSection loaded: xmllite.dllJump to behavior
                          Source: C:\ProgramData\MPGPH131\MPGPH131.exeSection loaded: apphelp.dllJump to behavior
                          Source: C:\ProgramData\MPGPH131\MPGPH131.exeSection loaded: winhttp.dllJump to behavior
                          Source: C:\ProgramData\MPGPH131\MPGPH131.exeSection loaded: msimg32.dllJump to behavior
                          Source: C:\ProgramData\MPGPH131\MPGPH131.exeSection loaded: rstrtmgr.dllJump to behavior
                          Source: C:\ProgramData\MPGPH131\MPGPH131.exeSection loaded: ncrypt.dllJump to behavior
                          Source: C:\ProgramData\MPGPH131\MPGPH131.exeSection loaded: ntasn1.dllJump to behavior
                          Source: C:\ProgramData\MPGPH131\MPGPH131.exeSection loaded: msvcr100.dllJump to behavior
                          Source: C:\ProgramData\MPGPH131\MPGPH131.exeSection loaded: d3d11.dllJump to behavior
                          Source: C:\ProgramData\MPGPH131\MPGPH131.exeSection loaded: dxgi.dllJump to behavior
                          Source: C:\ProgramData\MPGPH131\MPGPH131.exeSection loaded: resourcepolicyclient.dllJump to behavior
                          Source: C:\ProgramData\MPGPH131\MPGPH131.exeSection loaded: kernel.appcore.dllJump to behavior
                          Source: C:\ProgramData\MPGPH131\MPGPH131.exeSection loaded: d3d10warp.dllJump to behavior
                          Source: C:\ProgramData\MPGPH131\MPGPH131.exeSection loaded: uxtheme.dllJump to behavior
                          Source: C:\ProgramData\MPGPH131\MPGPH131.exeSection loaded: dxcore.dllJump to behavior
                          Source: C:\ProgramData\MPGPH131\MPGPH131.exeSection loaded: sspicli.dllJump to behavior
                          Source: C:\ProgramData\MPGPH131\MPGPH131.exeSection loaded: wininet.dllJump to behavior
                          Source: C:\ProgramData\MPGPH131\MPGPH131.exeSection loaded: mswsock.dllJump to behavior
                          Source: C:\ProgramData\MPGPH131\MPGPH131.exeSection loaded: devobj.dllJump to behavior
                          Source: C:\ProgramData\MPGPH131\MPGPH131.exeSection loaded: ondemandconnroutehelper.dllJump to behavior
                          Source: C:\ProgramData\MPGPH131\MPGPH131.exeSection loaded: webio.dllJump to behavior
                          Source: C:\ProgramData\MPGPH131\MPGPH131.exeSection loaded: iphlpapi.dllJump to behavior
                          Source: C:\ProgramData\MPGPH131\MPGPH131.exeSection loaded: winnsi.dllJump to behavior
                          Source: C:\ProgramData\MPGPH131\MPGPH131.exeSection loaded: dnsapi.dllJump to behavior
                          Source: C:\ProgramData\MPGPH131\MPGPH131.exeSection loaded: rasadhlp.dllJump to behavior
                          Source: C:\ProgramData\MPGPH131\MPGPH131.exeSection loaded: fwpuclnt.dllJump to behavior
                          Source: C:\ProgramData\MPGPH131\MPGPH131.exeSection loaded: schannel.dllJump to behavior
                          Source: C:\ProgramData\MPGPH131\MPGPH131.exeSection loaded: mskeyprotect.dllJump to behavior
                          Source: C:\ProgramData\MPGPH131\MPGPH131.exeSection loaded: ncryptsslp.dllJump to behavior
                          Source: C:\ProgramData\MPGPH131\MPGPH131.exeSection loaded: msasn1.dllJump to behavior
                          Source: C:\ProgramData\MPGPH131\MPGPH131.exeSection loaded: cryptsp.dllJump to behavior
                          Source: C:\ProgramData\MPGPH131\MPGPH131.exeSection loaded: rsaenh.dllJump to behavior
                          Source: C:\ProgramData\MPGPH131\MPGPH131.exeSection loaded: cryptbase.dllJump to behavior
                          Source: C:\ProgramData\MPGPH131\MPGPH131.exeSection loaded: gpapi.dllJump to behavior
                          Source: C:\ProgramData\MPGPH131\MPGPH131.exeSection loaded: winhttp.dllJump to behavior
                          Source: C:\ProgramData\MPGPH131\MPGPH131.exeSection loaded: msimg32.dllJump to behavior
                          Source: C:\ProgramData\MPGPH131\MPGPH131.exeSection loaded: rstrtmgr.dllJump to behavior
                          Source: C:\ProgramData\MPGPH131\MPGPH131.exeSection loaded: ncrypt.dllJump to behavior
                          Source: C:\ProgramData\MPGPH131\MPGPH131.exeSection loaded: ntasn1.dllJump to behavior
                          Source: C:\ProgramData\MPGPH131\MPGPH131.exeSection loaded: msvcr100.dllJump to behavior
                          Source: C:\ProgramData\MPGPH131\MPGPH131.exeSection loaded: d3d11.dllJump to behavior
                          Source: C:\ProgramData\MPGPH131\MPGPH131.exeSection loaded: dxgi.dllJump to behavior
                          Source: C:\ProgramData\MPGPH131\MPGPH131.exeSection loaded: resourcepolicyclient.dllJump to behavior
                          Source: C:\ProgramData\MPGPH131\MPGPH131.exeSection loaded: kernel.appcore.dllJump to behavior
                          Source: C:\ProgramData\MPGPH131\MPGPH131.exeSection loaded: d3d10warp.dllJump to behavior
                          Source: C:\ProgramData\MPGPH131\MPGPH131.exeSection loaded: uxtheme.dllJump to behavior
                          Source: C:\ProgramData\MPGPH131\MPGPH131.exeSection loaded: dxcore.dllJump to behavior
                          Source: C:\ProgramData\MPGPH131\MPGPH131.exeSection loaded: sspicli.dllJump to behavior
                          Source: C:\ProgramData\MPGPH131\MPGPH131.exeSection loaded: wininet.dllJump to behavior
                          Source: C:\ProgramData\MPGPH131\MPGPH131.exeSection loaded: mswsock.dllJump to behavior
                          Source: C:\ProgramData\MPGPH131\MPGPH131.exeSection loaded: devobj.dllJump to behavior
                          Source: C:\ProgramData\MPGPH131\MPGPH131.exeSection loaded: ondemandconnroutehelper.dllJump to behavior
                          Source: C:\ProgramData\MPGPH131\MPGPH131.exeSection loaded: webio.dllJump to behavior
                          Source: C:\ProgramData\MPGPH131\MPGPH131.exeSection loaded: iphlpapi.dllJump to behavior
                          Source: C:\ProgramData\MPGPH131\MPGPH131.exeSection loaded: winnsi.dllJump to behavior
                          Source: C:\ProgramData\MPGPH131\MPGPH131.exeSection loaded: dnsapi.dllJump to behavior
                          Source: C:\ProgramData\MPGPH131\MPGPH131.exeSection loaded: rasadhlp.dllJump to behavior
                          Source: C:\ProgramData\MPGPH131\MPGPH131.exeSection loaded: fwpuclnt.dllJump to behavior
                          Source: C:\ProgramData\MPGPH131\MPGPH131.exeSection loaded: schannel.dllJump to behavior
                          Source: C:\ProgramData\MPGPH131\MPGPH131.exeSection loaded: mskeyprotect.dllJump to behavior
                          Source: C:\ProgramData\MPGPH131\MPGPH131.exeSection loaded: ncryptsslp.dllJump to behavior
                          Source: C:\ProgramData\MPGPH131\MPGPH131.exeSection loaded: msasn1.dllJump to behavior
                          Source: C:\ProgramData\MPGPH131\MPGPH131.exeSection loaded: cryptsp.dllJump to behavior
                          Source: C:\ProgramData\MPGPH131\MPGPH131.exeSection loaded: rsaenh.dllJump to behavior
                          Source: C:\ProgramData\MPGPH131\MPGPH131.exeSection loaded: cryptbase.dllJump to behavior
                          Source: C:\ProgramData\MPGPH131\MPGPH131.exeSection loaded: gpapi.dllJump to behavior
                          Source: C:\Users\user\AppData\Local\RageMP131\RageMP131.exeSection loaded: apphelp.dll
                          Source: C:\Users\user\AppData\Local\RageMP131\RageMP131.exeSection loaded: winhttp.dll
                          Source: C:\Users\user\AppData\Local\RageMP131\RageMP131.exeSection loaded: msimg32.dll
                          Source: C:\Users\user\AppData\Local\RageMP131\RageMP131.exeSection loaded: rstrtmgr.dll
                          Source: C:\Users\user\AppData\Local\RageMP131\RageMP131.exeSection loaded: ncrypt.dll
                          Source: C:\Users\user\AppData\Local\RageMP131\RageMP131.exeSection loaded: ntasn1.dll
                          Source: C:\Users\user\AppData\Local\RageMP131\RageMP131.exeSection loaded: msvcr100.dll
                          Source: C:\Users\user\AppData\Local\RageMP131\RageMP131.exeSection loaded: d3d11.dll
                          Source: C:\Users\user\AppData\Local\RageMP131\RageMP131.exeSection loaded: dxgi.dll
                          Source: C:\Users\user\AppData\Local\RageMP131\RageMP131.exeSection loaded: resourcepolicyclient.dll
                          Source: C:\Users\user\AppData\Local\RageMP131\RageMP131.exeSection loaded: kernel.appcore.dll
                          Source: C:\Users\user\AppData\Local\RageMP131\RageMP131.exeSection loaded: d3d10warp.dll
                          Source: C:\Users\user\AppData\Local\RageMP131\RageMP131.exeSection loaded: uxtheme.dll
                          Source: C:\Users\user\AppData\Local\RageMP131\RageMP131.exeSection loaded: dxcore.dll
                          Source: C:\Users\user\AppData\Local\RageMP131\RageMP131.exeSection loaded: sspicli.dll
                          Source: C:\Users\user\AppData\Local\RageMP131\RageMP131.exeSection loaded: wininet.dll
                          Source: C:\Users\user\AppData\Local\RageMP131\RageMP131.exeSection loaded: mswsock.dll
                          Source: C:\Users\user\AppData\Local\RageMP131\RageMP131.exeSection loaded: devobj.dll
                          Source: C:\Users\user\AppData\Local\RageMP131\RageMP131.exeSection loaded: ondemandconnroutehelper.dll
                          Source: C:\Users\user\AppData\Local\RageMP131\RageMP131.exeSection loaded: webio.dll
                          Source: C:\Users\user\AppData\Local\RageMP131\RageMP131.exeSection loaded: iphlpapi.dll
                          Source: C:\Users\user\AppData\Local\RageMP131\RageMP131.exeSection loaded: winnsi.dll
                          Source: C:\Users\user\AppData\Local\RageMP131\RageMP131.exeSection loaded: dnsapi.dll
                          Source: C:\Users\user\AppData\Local\RageMP131\RageMP131.exeSection loaded: fwpuclnt.dll
                          Source: C:\Users\user\AppData\Local\RageMP131\RageMP131.exeSection loaded: rasadhlp.dll
                          Source: C:\Users\user\AppData\Local\RageMP131\RageMP131.exeSection loaded: schannel.dll
                          Source: C:\Users\user\AppData\Local\RageMP131\RageMP131.exeSection loaded: mskeyprotect.dll
                          Source: C:\Users\user\AppData\Local\RageMP131\RageMP131.exeSection loaded: ncryptsslp.dll
                          Source: C:\Users\user\AppData\Local\RageMP131\RageMP131.exeSection loaded: msasn1.dll
                          Source: C:\Users\user\AppData\Local\RageMP131\RageMP131.exeSection loaded: cryptsp.dll
                          Source: C:\Users\user\AppData\Local\RageMP131\RageMP131.exeSection loaded: rsaenh.dll
                          Source: C:\Users\user\AppData\Local\RageMP131\RageMP131.exeSection loaded: cryptbase.dll
                          Source: C:\Users\user\AppData\Local\RageMP131\RageMP131.exeSection loaded: gpapi.dll
                          Source: C:\Users\user\AppData\Local\RageMP131\RageMP131.exeSection loaded: vaultcli.dll
                          Source: C:\Users\user\AppData\Local\RageMP131\RageMP131.exeSection loaded: wintypes.dll
                          Source: C:\Users\user\AppData\Local\RageMP131\RageMP131.exeSection loaded: windows.storage.dll
                          Source: C:\Users\user\AppData\Local\RageMP131\RageMP131.exeSection loaded: wldp.dll
                          Source: C:\Users\user\AppData\Local\RageMP131\RageMP131.exeSection loaded: ntmarta.dll
                          Source: C:\Users\user\AppData\Local\RageMP131\RageMP131.exeSection loaded: dpapi.dll
                          Source: C:\Users\user\AppData\Local\RageMP131\RageMP131.exeSection loaded: winhttp.dll
                          Source: C:\Users\user\AppData\Local\RageMP131\RageMP131.exeSection loaded: msimg32.dll
                          Source: C:\Users\user\AppData\Local\RageMP131\RageMP131.exeSection loaded: rstrtmgr.dll
                          Source: C:\Users\user\AppData\Local\RageMP131\RageMP131.exeSection loaded: ncrypt.dll
                          Source: C:\Users\user\AppData\Local\RageMP131\RageMP131.exeSection loaded: ntasn1.dll
                          Source: C:\Users\user\AppData\Local\RageMP131\RageMP131.exeSection loaded: msvcr100.dll
                          Source: C:\Users\user\AppData\Local\RageMP131\RageMP131.exeSection loaded: d3d11.dll
                          Source: C:\Users\user\AppData\Local\RageMP131\RageMP131.exeSection loaded: dxgi.dll
                          Source: C:\Users\user\AppData\Local\RageMP131\RageMP131.exeSection loaded: resourcepolicyclient.dll
                          Source: C:\Users\user\AppData\Local\RageMP131\RageMP131.exeSection loaded: kernel.appcore.dll
                          Source: C:\Users\user\AppData\Local\RageMP131\RageMP131.exeSection loaded: d3d10warp.dll
                          Source: C:\Users\user\AppData\Local\RageMP131\RageMP131.exeSection loaded: uxtheme.dll
                          Source: C:\Users\user\AppData\Local\RageMP131\RageMP131.exeSection loaded: dxcore.dll
                          Source: C:\Users\user\AppData\Local\RageMP131\RageMP131.exeSection loaded: sspicli.dll
                          Source: C:\Users\user\AppData\Local\RageMP131\RageMP131.exeSection loaded: wininet.dll
                          Source: C:\Users\user\AppData\Local\RageMP131\RageMP131.exeSection loaded: mswsock.dll
                          Source: C:\Users\user\AppData\Local\RageMP131\RageMP131.exeSection loaded: devobj.dll
                          Source: C:\Users\user\AppData\Local\RageMP131\RageMP131.exeSection loaded: ondemandconnroutehelper.dll
                          Source: C:\Users\user\AppData\Local\RageMP131\RageMP131.exeSection loaded: webio.dll
                          Source: C:\Users\user\AppData\Local\RageMP131\RageMP131.exeSection loaded: iphlpapi.dll
                          Source: C:\Users\user\AppData\Local\RageMP131\RageMP131.exeSection loaded: winnsi.dll
                          Source: C:\Users\user\AppData\Local\RageMP131\RageMP131.exeSection loaded: dnsapi.dll
                          Source: C:\Users\user\AppData\Local\RageMP131\RageMP131.exeSection loaded: fwpuclnt.dll
                          Source: C:\Users\user\AppData\Local\RageMP131\RageMP131.exeSection loaded: rasadhlp.dll
                          Source: C:\Users\user\AppData\Local\RageMP131\RageMP131.exeSection loaded: schannel.dll
                          Source: C:\Users\user\AppData\Local\RageMP131\RageMP131.exeSection loaded: mskeyprotect.dll
                          Source: C:\Users\user\AppData\Local\RageMP131\RageMP131.exeSection loaded: ncryptsslp.dll
                          Source: C:\Users\user\AppData\Local\RageMP131\RageMP131.exeSection loaded: msasn1.dll
                          Source: C:\Users\user\AppData\Local\RageMP131\RageMP131.exeSection loaded: cryptsp.dll
                          Source: C:\Users\user\AppData\Local\RageMP131\RageMP131.exeSection loaded: rsaenh.dll
                          Source: C:\Users\user\AppData\Local\RageMP131\RageMP131.exeSection loaded: cryptbase.dll
                          Source: C:\Users\user\AppData\Local\RageMP131\RageMP131.exeSection loaded: gpapi.dll
                          Source: C:\Users\user\AppData\Local\RageMP131\RageMP131.exeSection loaded: vaultcli.dll
                          Source: C:\Users\user\AppData\Local\RageMP131\RageMP131.exeSection loaded: wintypes.dll
                          Source: C:\Users\user\AppData\Local\RageMP131\RageMP131.exeSection loaded: windows.storage.dll
                          Source: C:\Users\user\AppData\Local\RageMP131\RageMP131.exeSection loaded: wldp.dll
                          Source: C:\Users\user\AppData\Local\RageMP131\RageMP131.exeSection loaded: ntmarta.dll
                          Source: C:\Users\user\AppData\Local\RageMP131\RageMP131.exeSection loaded: dpapi.dll
                          Source: Window RecorderWindow detected: More than 3 window changes detected
                          Source: C:\Users\user\Desktop\file.exeKey opened: HKEY_CURRENT_USER\Software\Microsoft\Office\15.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676Jump to behavior
                          Source: C:\Users\user\Desktop\file.exeFile opened: C:\Windows\SysWOW64\msvcr100.dllJump to behavior
                          Source: file.exeStatic PE information: data directory type: IMAGE_DIRECTORY_ENTRY_DEBUG
                          Source: Binary string: C:\kiyecatuvoxule\xawip-har\kizipinayuzeh.pdb source: file.exe, RageMP131.exe.0.dr, MPGPH131.exe.0.dr
                          Source: Binary string: (C:\kiyecatuvoxule\xawip-har\kizipinayuzeh.pdb source: file.exe, RageMP131.exe.0.dr, MPGPH131.exe.0.dr

                          Data Obfuscation

                          barindex
                          Detected unpacking (changes PE section rights)
                          Source: C:\Users\user\Desktop\file.exeUnpacked PE file: 0.2.file.exe.400000.0.unpack .text:ER;.rdata:R;.data:W;.rsrc:R; vs .text:ER;.rdata:R;.data:W;.rsrc:R;.reloc:R;
                          Source: C:\ProgramData\MPGPH131\MPGPH131.exeUnpacked PE file: 9.2.MPGPH131.exe.400000.0.unpack .text:ER;.rdata:R;.data:W;.rsrc:R; vs .text:ER;.rdata:R;.data:W;.rsrc:R;.reloc:R;
                          Source: C:\Users\user\AppData\Local\RageMP131\RageMP131.exeUnpacked PE file: 17.2.RageMP131.exe.400000.0.unpack .text:ER;.rdata:R;.data:W;.rsrc:R; vs .text:ER;.rdata:R;.data:W;.rsrc:R;.reloc:R;
                          Source: C:\Users\user\AppData\Local\RageMP131\RageMP131.exeUnpacked PE file: 26.2.RageMP131.exe.400000.0.unpack .text:ER;.rdata:R;.data:W;.rsrc:R; vs .text:ER;.rdata:R;.data:W;.rsrc:R;.reloc:R;
                          Detected unpacking (overwrites its own PE header)
                          Source: C:\Users\user\Desktop\file.exeUnpacked PE file: 0.2.file.exe.400000.0.unpack
                          Source: C:\ProgramData\MPGPH131\MPGPH131.exeUnpacked PE file: 9.2.MPGPH131.exe.400000.0.unpack
                          Source: C:\Users\user\AppData\Local\RageMP131\RageMP131.exeUnpacked PE file: 17.2.RageMP131.exe.400000.0.unpack
                          Source: C:\Users\user\AppData\Local\RageMP131\RageMP131.exeUnpacked PE file: 26.2.RageMP131.exe.400000.0.unpack
                          Source: C:\Users\user\Desktop\file.exeCode function: 0_2_0045DDE5 LoadLibraryA,GetProcAddress,MessageBoxA,__ehfuncinfo$??2@YAPAXIABUnothrow_t@std@@@Z,GetProcessId,__ehfuncinfo$??2@YAPAXIABUnothrow_t@std@@@Z,SetThreadExecutionState,SetThreadExecutionState,SetThreadExecutionState,0_2_0045DDE5
                          Source: C:\Users\user\Desktop\file.exeCode function: 0_2_004C112B push ecx; iretd 0_2_004C112C
                          Source: C:\Users\user\Desktop\file.exeCode function: 0_2_004DD189 push ecx; ret 0_2_004DD19C
                          Source: C:\ProgramData\MPGPH131\MPGPH131.exeCode function: 8_2_004C112B push ecx; iretd 8_2_004C112C
                          Source: C:\ProgramData\MPGPH131\MPGPH131.exeCode function: 8_2_004DD189 push ecx; ret 8_2_004DD19C
                          Source: C:\Users\user\Desktop\file.exeFile created: C:\Users\user\AppData\Local\RageMP131\RageMP131.exeJump to dropped file
                          Source: C:\Users\user\Desktop\file.exeFile created: C:\ProgramData\MPGPH131\MPGPH131.exeJump to dropped file
                          Source: C:\Users\user\Desktop\file.exeFile created: C:\ProgramData\MPGPH131\MPGPH131.exeJump to dropped file

                          Boot Survival

                          barindex
                          Uses schtasks.exe or at.exe to add and modify task schedules
                          Source: C:\Users\user\Desktop\file.exeProcess created: C:\Windows\SysWOW64\schtasks.exe schtasks /create /f /RU "user" /tr "C:\ProgramData\MPGPH131\MPGPH131.exe" /tn "MPGPH131 HR" /sc HOURLY /rl HIGHEST
                          Source: C:\Users\user\Desktop\file.exeRegistry value created or modified: HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run RageMP131Jump to behavior
                          Source: C:\Users\user\Desktop\file.exeRegistry value created or modified: HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run RageMP131Jump to behavior
                          Source: C:\Users\user\Desktop\file.exeCode function: 0_2_00482FE0 GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,0_2_00482FE0
                          Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: FAILCRITICALERRORS | NOGPFAULTERRORBOXJump to behavior
                          Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                          Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: FAILCRITICALERRORS | NOGPFAULTERRORBOXJump to behavior
                          Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                          Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: FAILCRITICALERRORS | NOGPFAULTERRORBOXJump to behavior
                          Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                          Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: FAILCRITICALERRORS | NOGPFAULTERRORBOXJump to behavior
                          Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                          Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: FAILCRITICALERRORS | NOGPFAULTERRORBOXJump to behavior
                          Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                          Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                          Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                          Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                          Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                          Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                          Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                          Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                          Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                          Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                          Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                          Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                          Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                          Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                          Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                          Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                          Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                          Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                          Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                          Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                          Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                          Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                          Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                          Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                          Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                          Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                          Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                          Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                          Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                          Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                          Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                          Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                          Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                          Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                          Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                          Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                          Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                          Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                          Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                          Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                          Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                          Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                          Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                          Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                          Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                          Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                          Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: FAILCRITICALERRORS | NOGPFAULTERRORBOXJump to behavior
                          Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                          Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: FAILCRITICALERRORS | NOGPFAULTERRORBOXJump to behavior
                          Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                          Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: FAILCRITICALERRORS | NOGPFAULTERRORBOXJump to behavior
                          Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                          Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: FAILCRITICALERRORS | NOGPFAULTERRORBOXJump to behavior
                          Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                          Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: FAILCRITICALERRORS | NOGPFAULTERRORBOXJump to behavior
                          Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                          Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                          Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                          Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                          Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                          Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                          Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                          Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                          Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                          Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                          Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                          Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                          Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                          Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                          Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                          Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                          Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                          Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                          Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                          Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                          Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                          Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                          Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                          Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                          Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                          Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                          Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                          Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                          Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                          Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                          Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                          Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                          Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                          Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                          Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                          Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                          Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                          Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                          Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                          Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                          Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                          Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                          Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                          Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                          Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                          Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                          Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: FAILCRITICALERRORS | NOGPFAULTERRORBOX
                          Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOX
                          Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: FAILCRITICALERRORS | NOGPFAULTERRORBOX
                          Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOX
                          Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: FAILCRITICALERRORS | NOGPFAULTERRORBOX
                          Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOX
                          Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: FAILCRITICALERRORS | NOGPFAULTERRORBOX
                          Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOX
                          Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: FAILCRITICALERRORS | NOGPFAULTERRORBOX
                          Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOX
                          Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOX
                          Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOX
                          Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOX
                          Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOX
                          Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOX
                          Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOX
                          Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOX
                          Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOX
                          Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOX
                          Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOX
                          Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOX
                          Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOX
                          Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOX
                          Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOX
                          Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOX
                          Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOX
                          Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOX
                          Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOX
                          Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOX
                          Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOX
                          Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOX
                          Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOX
                          Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOX
                          Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOX
                          Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOX
                          Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOX
                          Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOX
                          Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOX
                          Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOX
                          Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOX
                          Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOX
                          Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOX
                          Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOX
                          Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOX
                          Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOX
                          Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOX
                          Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOX
                          Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOX
                          Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOX
                          Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOX
                          Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOX
                          Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOX
                          Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOX
                          Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOX
                          Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOX
                          Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: FAILCRITICALERRORS | NOGPFAULTERRORBOX
                          Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOX
                          Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: FAILCRITICALERRORS | NOGPFAULTERRORBOX
                          Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOX
                          Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: FAILCRITICALERRORS | NOGPFAULTERRORBOX
                          Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOX
                          Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: FAILCRITICALERRORS | NOGPFAULTERRORBOX
                          Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOX
                          Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: FAILCRITICALERRORS | NOGPFAULTERRORBOX
                          Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOX
                          Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOX
                          Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOX
                          Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOX
                          Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOX
                          Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOX
                          Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOX
                          Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOX
                          Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOX
                          Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOX
                          Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOX
                          Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOX
                          Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOX
                          Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOX
                          Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOX
                          Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOX
                          Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOX
                          Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOX
                          Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOX
                          Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOX
                          Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOX
                          Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOX
                          Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOX
                          Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOX
                          Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOX
                          Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOX
                          Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOX
                          Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOX
                          Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOX
                          Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOX
                          Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOX
                          Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOX
                          Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOX
                          Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOX
                          Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOX
                          Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOX
                          Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOX
                          Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOX
                          Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOX
                          Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOX
                          Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOX
                          Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOX
                          Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOX
                          Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOX
                          Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOX
                          Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOX
                          Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: FAILCRITICALERRORS | NOGPFAULTERRORBOX
                          Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOX
                          Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: FAILCRITICALERRORS | NOGPFAULTERRORBOX
                          Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOX
                          Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: FAILCRITICALERRORS | NOGPFAULTERRORBOX
                          Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOX
                          Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: FAILCRITICALERRORS | NOGPFAULTERRORBOX
                          Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOX
                          Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: FAILCRITICALERRORS | NOGPFAULTERRORBOX
                          Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOX
                          Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOX
                          Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOX
                          Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOX
                          Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOX
                          Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOX
                          Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOX
                          Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOX
                          Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOX
                          Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOX
                          Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOX
                          Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOX
                          Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOX
                          Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOX
                          Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOX
                          Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOX
                          Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOX
                          Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOX
                          Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOX
                          Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOX
                          Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOX
                          Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOX
                          Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOX
                          Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOX
                          Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOX
                          Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOX
                          Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOX
                          Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOX
                          Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOX
                          Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOX
                          Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOX
                          Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOX
                          Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOX
                          Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOX
                          Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOX
                          Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOX
                          Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOX
                          Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOX
                          Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOX
                          Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOX
                          Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOX
                          Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOX
                          Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOX
                          Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOX
                          Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOX
                          Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOX
                          Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: FAILCRITICALERRORS | NOGPFAULTERRORBOX
                          Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOX
                          Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: FAILCRITICALERRORS | NOGPFAULTERRORBOX
                          Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOX
                          Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: FAILCRITICALERRORS | NOGPFAULTERRORBOX
                          Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOX
                          Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: FAILCRITICALERRORS | NOGPFAULTERRORBOX
                          Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOX
                          Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: FAILCRITICALERRORS | NOGPFAULTERRORBOX
                          Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOX
                          Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOX
                          Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOX
                          Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOX
                          Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOX
                          Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOX
                          Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOX
                          Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOX
                          Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOX
                          Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOX
                          Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOX
                          Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOX
                          Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOX
                          Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOX
                          Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOX
                          Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOX
                          Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOX
                          Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOX
                          Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOX
                          Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOX
                          Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOX
                          Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOX
                          Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOX
                          Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOX
                          Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOX
                          Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOX
                          Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOX
                          Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOX
                          Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOX
                          Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOX
                          Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOX
                          Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOX
                          Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOX
                          Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOX
                          Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOX
                          Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOX
                          Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOX
                          Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOX
                          Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOX
                          Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOX
                          Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOX
                          Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOX
                          Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOX
                          Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOX
                          Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOX
                          Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOX
                          Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: FAILCRITICALERRORS | NOGPFAULTERRORBOX
                          Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOX
                          Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: FAILCRITICALERRORS | NOGPFAULTERRORBOX
                          Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOX
                          Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: FAILCRITICALERRORS | NOGPFAULTERRORBOX
                          Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOX
                          Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: FAILCRITICALERRORS | NOGPFAULTERRORBOX
                          Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOX
                          Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: FAILCRITICALERRORS | NOGPFAULTERRORBOX
                          Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOX
                          Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOX
                          Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOX
                          Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOX
                          Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOX
                          Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOX
                          Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOX
                          Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOX
                          Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOX
                          Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOX
                          Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOX
                          Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOX
                          Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOX
                          Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOX
                          Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOX
                          Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOX
                          Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOX
                          Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOX
                          Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOX
                          Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOX
                          Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOX
                          Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOX
                          Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOX
                          Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOX
                          Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOX
                          Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOX
                          Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOX
                          Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOX
                          Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOX
                          Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOX
                          Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOX
                          Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOX
                          Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOX
                          Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOX
                          Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOX
                          Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOX
                          Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOX
                          Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOX
                          Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOX
                          Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOX
                          Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOX
                          Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOX
                          Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOX
                          Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOX
                          Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOX
                          Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOX
                          Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: FAILCRITICALERRORS | NOGPFAULTERRORBOX
                          Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOX
                          Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: FAILCRITICALERRORS | NOGPFAULTERRORBOX
                          Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOX
                          Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: FAILCRITICALERRORS | NOGPFAULTERRORBOX
                          Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOX
                          Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: FAILCRITICALERRORS | NOGPFAULTERRORBOX
                          Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOX
                          Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: FAILCRITICALERRORS | NOGPFAULTERRORBOX
                          Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOX
                          Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOX
                          Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOX
                          Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOX
                          Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOX
                          Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOX
                          Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOX
                          Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOX
                          Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOX
                          Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOX
                          Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOX
                          Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOX
                          Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOX
                          Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOX
                          Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOX
                          Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOX
                          Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOX
                          Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOX
                          Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOX
                          Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOX
                          Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOX
                          Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOX
                          Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOX
                          Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOX
                          Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOX
                          Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOX
                          Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOX
                          Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOX
                          Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOX
                          Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOX
                          Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOX
                          Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOX
                          Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOX
                          Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOX
                          Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOX
                          Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOX
                          Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOX
                          Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOX
                          Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOX
                          Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOX
                          Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOX
                          Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOX
                          Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOX
                          Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOX
                          Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOX
                          Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOX
                          Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: FAILCRITICALERRORS | NOGPFAULTERRORBOX
                          Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOX
                          Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: FAILCRITICALERRORS | NOGPFAULTERRORBOX
                          Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOX
                          Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: FAILCRITICALERRORS | NOGPFAULTERRORBOX
                          Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOX
                          Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOX
                          Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOX
                          Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOX
                          Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOX
                          Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOX
                          Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOX
                          Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOX
                          Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOX
                          Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOX
                          Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOX
                          Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOX
                          Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOX
                          Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOX
                          Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOX
                          Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOX
                          Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOX
                          Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOX
                          Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOX
                          Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOX
                          Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOX
                          Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOX
                          Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOX
                          Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOX
                          Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOX
                          Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOX
                          Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOX
                          Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOX
                          Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOX
                          Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOX
                          Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOX
                          Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOX
                          Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOX
                          Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOX
                          Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOX
                          Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOX
                          Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOX
                          Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOX
                          Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOX
                          Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOX
                          Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: FAILCRITICALERRORS | NOGPFAULTERRORBOX
                          Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOX
                          Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: FAILCRITICALERRORS | NOGPFAULTERRORBOX
                          Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOX
                          Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: FAILCRITICALERRORS | NOGPFAULTERRORBOX
                          Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOX
                          Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: FAILCRITICALERRORS | NOGPFAULTERRORBOX
                          Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOX
                          Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: FAILCRITICALERRORS | NOGPFAULTERRORBOX
                          Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOX
                          Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOX
                          Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOX
                          Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOX
                          Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOX
                          Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOX

                          Malware Analysis System Evasion

                          barindex
                          Country aware sample found (crashes after keyboard check)
                          Source: c:\users\user\desktop\file.exeEvent Logs and Signature results: Application crash and keyboard check
                          Found API chain indicative of sandbox detection
                          Source: C:\ProgramData\MPGPH131\MPGPH131.exeSandbox detection routine: GetCursorPos, DecisionNode, Sleep
                          Source: C:\Users\user\Desktop\file.exeSandbox detection routine: GetCursorPos, DecisionNode, Sleepgraph_0-70965
                          Found evasive API chain (may stop execution after checking mutex)
                          Source: C:\Users\user\Desktop\file.exeEvasive API call chain: CreateMutex,DecisionNodes,Sleepgraph_0-65998
                          Source: C:\ProgramData\MPGPH131\MPGPH131.exeEvasive API call chain: CreateMutex,DecisionNodes,Sleep
                          Found evasive API chain (may stop execution after reading information in the PEB, e.g. number of processors)
                          Source: C:\ProgramData\MPGPH131\MPGPH131.exeEvasive API call chain: GetPEB, DecisionNodes, Sleep
                          Source: C:\Users\user\Desktop\file.exeEvasive API call chain: GetPEB, DecisionNodes, Sleepgraph_0-70961
                          Found stalling execution ending in API Sleep call
                          Source: C:\Users\user\Desktop\file.exeStalling execution: Execution stalls by calling Sleepgraph_0-65942
                          Source: C:\ProgramData\MPGPH131\MPGPH131.exeStalling execution: Execution stalls by calling Sleep
                          Source: C:\Users\user\Desktop\file.exeCode function: GetCursorPos,GetCursorPos,GetCursorPos,Sleep,GetCursorPos,Sleep,GetCursorPos,0_2_0045D9F0
                          Source: C:\ProgramData\MPGPH131\MPGPH131.exeCode function: GetCursorPos,GetCursorPos,GetCursorPos,Sleep,GetCursorPos,Sleep,GetCursorPos,8_2_0045D9F0
                          Source: C:\ProgramData\MPGPH131\MPGPH131.exeDecision node followed by non-executed suspicious API: DecisionNode, Non Executed (send or recv or WinExec)
                          Source: C:\Users\user\Desktop\file.exeDecision node followed by non-executed suspicious API: DecisionNode, Non Executed (send or recv or WinExec)graph_0-65942
                          Source: C:\Users\user\Desktop\file.exe TID: 7332Thread sleep count: 76 > 30Jump to behavior
                          Source: C:\Users\user\Desktop\file.exe TID: 7332Thread sleep count: 37 > 30Jump to behavior
                          Source: C:\Users\user\Desktop\file.exe TID: 7332Thread sleep count: 32 > 30Jump to behavior
                          Source: C:\ProgramData\MPGPH131\MPGPH131.exe TID: 7588Thread sleep count: 33 > 30Jump to behavior
                          Source: C:\ProgramData\MPGPH131\MPGPH131.exe TID: 7596Thread sleep count: 98 > 30Jump to behavior
                          Source: C:\Users\user\AppData\Local\RageMP131\RageMP131.exe TID: 7992Thread sleep count: 89 > 30
                          Source: C:\Users\user\AppData\Local\RageMP131\RageMP131.exe TID: 7992Thread sleep count: 128 > 30
                          Source: C:\Users\user\AppData\Local\RageMP131\RageMP131.exe TID: 1516Thread sleep count: 78 > 30
                          Source: C:\Users\user\AppData\Local\RageMP131\RageMP131.exe TID: 1516Thread sleep count: 43 > 30
                          Source: C:\Users\user\AppData\Local\RageMP131\RageMP131.exe TID: 1516Thread sleep count: 98 > 30
                          Source: C:\Windows\System32\conhost.exeLast function: Thread delayed
                          Source: C:\Windows\System32\conhost.exeLast function: Thread delayed
                          Source: C:\Users\user\Desktop\file.exeCode function: 0_2_00464270 GetKeyboardLayoutList followed by cmp: cmp esi, edi and CTI: je 00464293h0_2_00464270
                          Source: C:\Users\user\Desktop\file.exeCode function: 0_2_004624B0 GetKeyboardLayoutList followed by cmp: cmp eax, 2eh and CTI: jc 004624C0h country: Upper Sorbian (hsb)0_2_004624B0
                          Source: C:\ProgramData\MPGPH131\MPGPH131.exeCode function: 8_2_00464270 GetKeyboardLayoutList followed by cmp: cmp esi, edi and CTI: je 00464293h8_2_00464270
                          Source: C:\ProgramData\MPGPH131\MPGPH131.exeCode function: 8_2_004624B0 GetKeyboardLayoutList followed by cmp: cmp eax, 2eh and CTI: jc 004624C0h country: Upper Sorbian (hsb)8_2_004624B0
                          Source: C:\Users\user\Desktop\file.exeCode function: 0_2_00492190 GetSystemTime followed by cmp: cmp eax, 04h and CTI: jc 004921D1h0_2_00492190
                          Source: C:\ProgramData\MPGPH131\MPGPH131.exeCode function: 8_2_00492190 GetSystemTime followed by cmp: cmp eax, 04h and CTI: jc 004921D1h8_2_00492190
                          Source: C:\Users\user\Desktop\file.exeCode function: 0_2_0040E7B0 CreateDirectoryA,FindFirstFileA,CreateDirectoryA,CopyFileA,FindNextFileA,FindClose,GetLastError,GetLastError,CreateDirectoryA,SHGetFolderPathA,CreateDirectoryA,CreateDirectoryA,CreateDirectoryA,CreateDirectoryA,0_2_0040E7B0
                          Source: C:\Users\user\Desktop\file.exeCode function: 0_2_004DB1CB FindClose,FindFirstFileExW,GetLastError,0_2_004DB1CB
                          Source: C:\Users\user\Desktop\file.exeCode function: 0_2_0040B300 FindFirstFileA,SetFileAttributesA,DeleteFileA,FindNextFileA,FindClose,GetLastError,SetFileAttributesA,GetLastError,RemoveDirectoryA,GetLastError,GetLastError,std::_Throw_Cpp_error,std::_Throw_Cpp_error,0_2_0040B300
                          Source: C:\Users\user\Desktop\file.exeCode function: 0_2_0041FA10 FindFirstFileA,FindNextFileA,GetLastError,FindClose,0_2_0041FA10
                          Source: C:\Users\user\Desktop\file.exeCode function: 0_2_0043EAEB FindFirstFileA,FindNextFileA,FindClose,CreateDirectoryA,CreateDirectoryA,CreateDirectoryA,CopyFileA,CreateDirectoryA,CopyFileA,CopyFileA,0_2_0043EAEB
                          Source: C:\ProgramData\MPGPH131\MPGPH131.exeCode function: 8_2_0040E7B0 FindFirstFileA,CreateDirectoryA,CopyFileA,FindNextFileA,FindClose,GetLastError,GetLastError,SHGetFolderPathA,CreateDirectoryA,CreateDirectoryA,CreateDirectoryA,CreateDirectoryA,8_2_0040E7B0
                          Source: C:\ProgramData\MPGPH131\MPGPH131.exeCode function: 8_2_0043CA90 CreateThread,CredEnumerateA,SHGetFolderPathA,CreateThread,FindFirstFileA,FindNextFileA,FindClose,CreateDirectoryA,CreateDirectoryA,CreateDirectoryA,CopyFileA,CreateDirectoryA,CopyFileA,CopyFileA,8_2_0043CA90
                          Source: C:\ProgramData\MPGPH131\MPGPH131.exeCode function: 8_2_004DB1CB FindClose,FindFirstFileExW,GetLastError,8_2_004DB1CB
                          Source: C:\ProgramData\MPGPH131\MPGPH131.exeCode function: 8_2_004DB251 GetFileAttributesExW,GetLastError,FindFirstFileW,GetLastError,FindClose,___std_fs_open_handle@16,GetFileInformationByHandleEx,GetLastError,GetFileInformationByHandleEx,GetFileInformationByHandleEx,8_2_004DB251
                          Source: C:\ProgramData\MPGPH131\MPGPH131.exeCode function: 8_2_0040B300 FindFirstFileA,SetFileAttributesA,DeleteFileA,FindNextFileA,FindClose,GetLastError,SetFileAttributesA,GetLastError,RemoveDirectoryA,GetLastError,GetLastError,std::_Throw_Cpp_error,std::_Throw_Cpp_error,8_2_0040B300
                          Source: C:\Users\user\Desktop\file.exeCode function: 0_2_0040CD50 RegOpenKeyExA,RegQueryValueExA,RegCloseKey,GetCurrentHwProfileA,GetModuleHandleExA,GetModuleFileNameA,RegOpenKeyExA,RegQueryValueExA,RegCloseKey,GetComputerNameA,GetUserNameA,GetDesktopWindow,GetWindowRect,GetUserDefaultLocaleName,GetKeyboardLayoutList,GetKeyboardLayoutList,LocalAlloc,GetKeyboardLayoutList,GetLocaleInfoA,LocalFree,GetLocalTime,GetSystemTime,GetTimeZoneInformation,TzSpecificLocalTimeToSystemTime,RegOpenKeyExA,RegQueryValueExA,RegCloseKey,GetSystemInfo,GlobalMemoryStatusEx,EnumDisplayDevicesA,EnumDisplayDevicesA,CreateToolhelp32Snapshot,Process32First,Process32Next,Process32Next,CloseHandle,RegOpenKeyExA,RegEnumKeyExA,wsprintfA,RegOpenKeyExA,RegQueryValueExA,RegQueryValueExA,RegCloseKey,RegCloseKey,0_2_0040CD50
                          Source: Amcache.hve.7.drBinary or memory string: VMware
                          Source: RageMP131.exe, 00000011.00000003.2008536036.0000000002FE4000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: \\?\scsi#disk&ven_vmware&prod_virtual_disk#4&1656f219&0&000000#{53f56307-b6bf-11d0-94f2-00a0c91efb8b}C
                          Source: file.exe, 00000000.00000002.2256177341.00000000030A7000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: Hyper-V RAWen-GBnk
                          Source: Amcache.hve.7.drBinary or memory string: Ascsi/cdrom&ven_necvmwar&prod_vmware_sata_cd00/4&224f42ef&0&000000
                          Source: file.exe, 00000000.00000003.2072010146.00000000030B6000.00000004.00000020.00020000.00000000.sdmp, file.exe, 00000000.00000002.2256177341.00000000030B6000.00000004.00000020.00020000.00000000.sdmp, file.exe, 00000000.00000003.2068786897.00000000030B6000.00000004.00000020.00020000.00000000.sdmp, file.exe, 00000000.00000003.2023096366.00000000030B6000.00000004.00000020.00020000.00000000.sdmp, file.exe, 00000000.00000002.2256177341.000000000307B000.00000004.00000020.00020000.00000000.sdmp, MPGPH131.exe, 00000008.00000002.2554428927.00000000030E9000.00000004.00000020.00020000.00000000.sdmp, MPGPH131.exe, 00000008.00000002.2554428927.00000000030BA000.00000004.00000020.00020000.00000000.sdmp, MPGPH131.exe, 00000009.00000002.2554347578.0000000002E6A000.00000004.00000020.00020000.00000000.sdmp, RageMP131.exe, 00000011.00000002.2349974931.0000000003002000.00000004.00000020.00020000.00000000.sdmp, RageMP131.exe, 00000011.00000003.2307237063.0000000003002000.00000004.00000020.00020000.00000000.sdmp, RageMP131.exe, 00000011.00000003.2305959394.0000000003002000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: Hyper-V RAW
                          Source: RageMP131.exe, 0000001A.00000003.2093321378.0000000002FA8000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: \\?\SCSI#Disk&Ven_VMware&Prod_Virtual_disk#4&1656f219&0&000000#{53f56307-b6bf-11d0-94f2-00a0c91efb8b}
                          Source: Amcache.hve.7.drBinary or memory string: pci\ven_15ad&dev_0740&subsys_074015ad,pci\ven_15ad&dev_0740,root\vmwvmcihostdev
                          Source: RageMP131.exe, 00000011.00000002.2348884384.0000000002F70000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: SCSI\DISK&VEN_VMWARE&PROD_VIRTUAL_DISK\4&1656F219&0&000000&
                          Source: Amcache.hve.7.drBinary or memory string: vmci.sys
                          Source: MPGPH131.exe, 00000008.00000003.2368810046.00000000030D0000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: \\?\SCSI#Disk&Ven_VMware&Prod_Virtual_disk#4&1656f219&0&000000#{53f56307-b6bf-11d0-94f2-00a0c91efb8b}X(
                          Source: Amcache.hve.7.drBinary or memory string: VMware20,1
                          Source: MPGPH131.exe, 00000009.00000003.2387852289.0000000002E56000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: \\?\SCSI#Disk&Ven_VMware&Prod_Virtual_disk#4&1656f219&0&000000#{53f56307-b6bf-11d0-94f2-00a0c91efb8b}4w
                          Source: Amcache.hve.7.drBinary or memory string: Microsoft Hyper-V Generation Counter
                          Source: Amcache.hve.7.drBinary or memory string: NECVMWar VMware SATA CD00
                          Source: Amcache.hve.7.drBinary or memory string: VMware Virtual disk SCSI Disk Device
                          Source: MPGPH131.exe, 00000008.00000002.2554428927.00000000030E9000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: Hyper-V RAWo
                          Source: Amcache.hve.7.drBinary or memory string: scsi\diskvmware__virtual_disk____2.0_,scsi\diskvmware__virtual_disk____,scsi\diskvmware__,scsi\vmware__virtual_disk____2,vmware__virtual_disk____2,gendisk
                          Source: Amcache.hve.7.drBinary or memory string: Microsoft Hyper-V Virtualization Infrastructure Driver
                          Source: Amcache.hve.7.drBinary or memory string: VMware PCI VMCI Bus Device
                          Source: Amcache.hve.7.drBinary or memory string: VMware VMCI Bus Device
                          Source: Amcache.hve.7.drBinary or memory string: VMware Virtual RAM
                          Source: Amcache.hve.7.drBinary or memory string: BiosVendor:VMware, Inc.,BiosVersion:VMW201.00V.20829224.B64.2211211842,BiosReleaseDate:11/21/2022,BiosMajorRelease:0xff,BiosMinorRelease:0xff,SystemManufacturer:VMware, Inc.,SystemProduct:VMware20,1,SystemFamily:,SystemSKUNumber:,BaseboardManufacturer:,BaseboardProduct:,BaseboardVersion:,EnclosureType:0x1
                          Source: Amcache.hve.7.drBinary or memory string: vmci.inf_amd64_68ed49469341f563
                          Source: file.exe, 00000000.00000002.2258431224.0000000007A89000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: 9e146be9-c76a-4720-bcdb-53011b87bd06_{a33c7340-61ca-11ee-8c18-806e6f6e6963}_\\?\scsi#disk&ven_vmware&prod_virtual_disk#4&1656f219&0&000000#{53f56307-b6bf-11d0-94f2-00a0c91efb8b}_926F18F8sautoD
                          Source: RageMP131.exe, 0000001A.00000002.2603079344.0000000002F95000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: Hyper-V RAW8
                          Source: Amcache.hve.7.drBinary or memory string: VMware Virtual USB Mouse
                          Source: RageMP131.exe, 00000011.00000002.2348884384.0000000002FDA000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: ?\#disk&ven_vmware&prouask#4&1656f219&0&0000f5-b6bf-11d0-94f2-00a08b
                          Source: Amcache.hve.7.drBinary or memory string: vmci.syshbin
                          Source: Amcache.hve.7.drBinary or memory string: VMware, Inc.
                          Source: RageMP131.exe, 0000001A.00000002.2603079344.0000000002FC6000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: \\?\scsi#disk&ven_vmware&prod_virtual_disk#4&1656f219&0&000000#{53f56307-b6bf-11d0-94f2-00a0c91efb8b}
                          Source: RageMP131.exe, 00000011.00000002.2353136507.0000000007A92000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: 9e146be9-c76a-4720-bcdb-53011b87bd06_{a33c7340-61ca-11ee-8c18-806e6f6e6963}_\\?\scsi#disk&ven_vmware&prod_virtual_disk#4&1656f219&0&000000#{53f56307-b6bf-11d0-94f2-00a0c91efb8b}_926F18F8y
                          Source: RageMP131.exe, 00000011.00000002.2348884384.0000000002FCC000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: Hyper-V RAW0
                          Source: Amcache.hve.7.drBinary or memory string: VMware20,1hbin@
                          Source: Amcache.hve.7.drBinary or memory string: c:\windows\system32\driverstore\filerepository\vmci.inf_amd64_68ed49469341f563
                          Source: Amcache.hve.7.drBinary or memory string: .Z$c:/windows/system32/drivers/vmci.sys
                          Source: RageMP131.exe, 0000001A.00000002.2603079344.0000000002F40000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: SCSI\DISK&VEN_VMWARE&PROD_VIRTUAL_DISK\4&1656F219&0&000000&'
                          Source: Amcache.hve.7.drBinary or memory string: :scsi/disk&ven_vmware&prod_virtual_disk/4&1656f219&0&000000
                          Source: MPGPH131.exe, 00000009.00000002.2554347578.0000000002E40000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: Hyper-V RAW
                          Source: Amcache.hve.7.drBinary or memory string: c:/windows/system32/drivers/vmci.sys
                          Source: Amcache.hve.7.drBinary or memory string: scsi/cdrom&ven_necvmwar&prod_vmware_sata_cd00/4&224f42ef&0&000000
                          Source: MPGPH131.exe, 00000009.00000002.2554347578.0000000002E6A000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: Hyper-V RAW5t
                          Source: Amcache.hve.7.drBinary or memory string: VMware-56 4d 43 71 48 15 3d ed-ae e6 c7 5a ec d9 3b f0
                          Source: Amcache.hve.7.drBinary or memory string: vmci.syshbin`
                          Source: Amcache.hve.7.drBinary or memory string: \driver\vmci,\driver\pci
                          Source: MPGPH131.exe, 00000008.00000002.2554428927.0000000003060000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: SCSI\DISK&VEN_VMWARE&PROD_VIRTUAL_DISK\4&1656F219&0&000000&z)
                          Source: Amcache.hve.7.drBinary or memory string: scsi/disk&ven_vmware&prod_virtual_disk/4&1656f219&0&000000
                          Source: Amcache.hve.7.drBinary or memory string: scsi\cdromnecvmwarvmware_sata_cd001.00,scsi\cdromnecvmwarvmware_sata_cd00,scsi\cdromnecvmwar,scsi\necvmwarvmware_sata_cd001,necvmwarvmware_sata_cd001,gencdrom
                          Source: RageMP131.exe, 0000001A.00000002.2604583006.0000000007A92000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: 9e146be9-c76a-4720-bcdb-53011b87bd06_{a33c7340-61ca-11ee-8c18-806e6f6e6963}_\\?\scsi#disk&ven_vmware&prod_virtual_disk#4&1656f219&0&000000#{53f56307-b6bf-11d0-94f2-00a0c91efb8b}_926F18F8
                          Source: file.exe, 00000000.00000003.2223197438.0000000007AA0000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: \\?\scsi#disk&ven_vmware&prod_virtual_disk#4&1656f219&0&000000#{53f56307-b6bf-11d0-94f2-00a0c91efb8b}J6HEdjEHUub5EtqTQ2dk3wwrCNfruTWZeEqONRrqgXAW0ke6pZXg==_b3i0u6LLcKCMUaF/UlQgEPSL9PtLZ21CuT1dJkfCzME=*
                          Source: C:\Users\user\Desktop\file.exeProcess information queried: ProcessInformationJump to behavior
                          Source: C:\Users\user\Desktop\file.exeProcess queried: DebugPortJump to behavior
                          Source: C:\Users\user\Desktop\file.exeProcess queried: DebugPortJump to behavior
                          Source: C:\Users\user\Desktop\file.exeProcess queried: DebugPortJump to behavior
                          Source: C:\Users\user\Desktop\file.exeProcess queried: DebugPortJump to behavior
                          Source: C:\ProgramData\MPGPH131\MPGPH131.exeProcess queried: DebugPortJump to behavior
                          Source: C:\ProgramData\MPGPH131\MPGPH131.exeProcess queried: DebugPortJump to behavior
                          Source: C:\ProgramData\MPGPH131\MPGPH131.exeProcess queried: DebugPortJump to behavior
                          Source: C:\ProgramData\MPGPH131\MPGPH131.exeProcess queried: DebugPortJump to behavior
                          Source: C:\Users\user\AppData\Local\RageMP131\RageMP131.exeProcess queried: DebugPort
                          Source: C:\Users\user\AppData\Local\RageMP131\RageMP131.exeProcess queried: DebugPort
                          Source: C:\Users\user\AppData\Local\RageMP131\RageMP131.exeProcess queried: DebugPort
                          Source: C:\Users\user\AppData\Local\RageMP131\RageMP131.exeProcess queried: DebugPort
                          Source: C:\Users\user\AppData\Local\RageMP131\RageMP131.exeProcess queried: DebugPort
                          Source: C:\Users\user\AppData\Local\RageMP131\RageMP131.exeProcess queried: DebugPort
                          Source: C:\Users\user\AppData\Local\RageMP131\RageMP131.exeProcess queried: DebugPort
                          Source: C:\Users\user\AppData\Local\RageMP131\RageMP131.exeProcess queried: DebugPort
                          Source: C:\Users\user\Desktop\file.exeCode function: 0_2_00414870 IsDebuggerPresent,0_2_00414870
                          Source: C:\Users\user\Desktop\file.exeCode function: 0_2_0045E5D4 CreateThread,CloseHandle,Sleep,GetTempPathA,CreateDirectoryA,CreateDirectoryA,OutputDebugStringA,CreateDirectoryA,__ehfuncinfo$??2@YAPAXIABUnothrow_t@std@@@Z,OutputDebugStringA,CreateMutexA,GetLastError,Sleep,Sleep,Sleep,Sleep,shutdown,closesocket,Sleep,0_2_0045E5D4
                          Source: C:\Users\user\Desktop\file.exeCode function: 0_2_0045DDE5 LoadLibraryA,GetProcAddress,MessageBoxA,__ehfuncinfo$??2@YAPAXIABUnothrow_t@std@@@Z,GetProcessId,__ehfuncinfo$??2@YAPAXIABUnothrow_t@std@@@Z,SetThreadExecutionState,SetThreadExecutionState,SetThreadExecutionState,0_2_0045DDE5
                          Source: C:\Users\user\Desktop\file.exeCode function: 0_2_004160B0 mov ecx, dword ptr fs:[00000030h]0_2_004160B0
                          Source: C:\Users\user\Desktop\file.exeCode function: 0_2_0045E5D4 mov eax, dword ptr fs:[00000030h]0_2_0045E5D4
                          Source: C:\Users\user\Desktop\file.exeCode function: 0_2_0045E5D4 mov ecx, dword ptr fs:[00000030h]0_2_0045E5D4
                          Source: C:\Users\user\Desktop\file.exeCode function: 0_2_0043CA90 mov eax, dword ptr fs:[00000030h]0_2_0043CA90
                          Source: C:\Users\user\Desktop\file.exeCode function: 0_2_0045EA9C mov eax, dword ptr fs:[00000030h]0_2_0045EA9C
                          Source: C:\Users\user\Desktop\file.exeCode function: 0_2_0045EA9C mov eax, dword ptr fs:[00000030h]0_2_0045EA9C
                          Source: C:\Users\user\Desktop\file.exeCode function: 0_2_0045EA9C mov eax, dword ptr fs:[00000030h]0_2_0045EA9C
                          Source: C:\Users\user\Desktop\file.exeCode function: 0_2_0045EA9C mov eax, dword ptr fs:[00000030h]0_2_0045EA9C
                          Source: C:\Users\user\Desktop\file.exeCode function: 0_2_0045EA9C mov eax, dword ptr fs:[00000030h]0_2_0045EA9C
                          Source: C:\Users\user\Desktop\file.exeCode function: 0_2_0045EA9C mov eax, dword ptr fs:[00000030h]0_2_0045EA9C
                          Source: C:\Users\user\Desktop\file.exeCode function: 0_2_0045EA9C mov eax, dword ptr fs:[00000030h]0_2_0045EA9C
                          Source: C:\Users\user\Desktop\file.exeCode function: 0_2_0045EA9C mov eax, dword ptr fs:[00000030h]0_2_0045EA9C
                          Source: C:\Users\user\Desktop\file.exeCode function: 0_2_0045EA9C mov eax, dword ptr fs:[00000030h]0_2_0045EA9C
                          Source: C:\Users\user\Desktop\file.exeCode function: 0_2_0045EA9C mov eax, dword ptr fs:[00000030h]0_2_0045EA9C
                          Source: C:\Users\user\Desktop\file.exeCode function: 0_2_0045EA9C mov eax, dword ptr fs:[00000030h]0_2_0045EA9C
                          Source: C:\Users\user\Desktop\file.exeCode function: 0_2_0045EA9C mov eax, dword ptr fs:[00000030h]0_2_0045EA9C
                          Source: C:\Users\user\Desktop\file.exeCode function: 0_2_0045EA9C mov eax, dword ptr fs:[00000030h]0_2_0045EA9C
                          Source: C:\Users\user\Desktop\file.exeCode function: 0_2_0045EA9C mov eax, dword ptr fs:[00000030h]0_2_0045EA9C
                          Source: C:\Users\user\Desktop\file.exeCode function: 0_2_0045EA9C mov eax, dword ptr fs:[00000030h]0_2_0045EA9C
                          Source: C:\Users\user\Desktop\file.exeCode function: 0_2_0045EA9C mov eax, dword ptr fs:[00000030h]0_2_0045EA9C
                          Source: C:\Users\user\Desktop\file.exeCode function: 0_2_0041AB90 mov eax, dword ptr fs:[00000030h]0_2_0041AB90
                          Source: C:\Users\user\Desktop\file.exeCode function: 0_2_0045D9F0 mov eax, dword ptr fs:[00000030h]0_2_0045D9F0
                          Source: C:\Users\user\Desktop\file.exeCode function: 0_2_0045D9F0 mov eax, dword ptr fs:[00000030h]0_2_0045D9F0
                          Source: C:\Users\user\Desktop\file.exeCode function: 0_2_0045DDE5 mov eax, dword ptr fs:[00000030h]0_2_0045DDE5
                          Source: C:\Users\user\Desktop\file.exeCode function: 0_2_0045DDE5 mov eax, dword ptr fs:[00000030h]0_2_0045DDE5
                          Source: C:\Users\user\Desktop\file.exeCode function: 0_2_0045DDE5 mov eax, dword ptr fs:[00000030h]0_2_0045DDE5
                          Source: C:\Users\user\Desktop\file.exeCode function: 0_2_0045DDE5 mov eax, dword ptr fs:[00000030h]0_2_0045DDE5
                          Source: C:\Users\user\Desktop\file.exeCode function: 0_2_0041AB90 mov eax, dword ptr fs:[00000030h]0_2_0041AB90
                          Source: C:\Users\user\Desktop\file.exeCode function: 0_2_0041AB90 mov eax, dword ptr fs:[00000030h]0_2_0041AB90
                          Source: C:\Users\user\Desktop\file.exeCode function: 0_2_00414870 mov eax, dword ptr fs:[00000030h]0_2_00414870
                          Source: C:\Users\user\Desktop\file.exeCode function: 0_2_00414ED0 mov eax, dword ptr fs:[00000030h]0_2_00414ED0
                          Source: C:\Users\user\Desktop\file.exeCode function: 0_2_00414ED0 mov eax, dword ptr fs:[00000030h]0_2_00414ED0
                          Source: C:\Users\user\Desktop\file.exeCode function: 0_2_00414ED0 mov eax, dword ptr fs:[00000030h]0_2_00414ED0
                          Source: C:\Users\user\Desktop\file.exeCode function: 0_2_00414ED0 mov eax, dword ptr fs:[00000030h]0_2_00414ED0
                          Source: C:\Users\user\Desktop\file.exeCode function: 0_2_00414ED0 mov eax, dword ptr fs:[00000030h]0_2_00414ED0
                          Source: C:\Users\user\Desktop\file.exeCode function: 0_2_00414ED0 mov eax, dword ptr fs:[00000030h]0_2_00414ED0
                          Source: C:\Users\user\Desktop\file.exeCode function: 0_2_00414ED0 mov eax, dword ptr fs:[00000030h]0_2_00414ED0
                          Source: C:\Users\user\Desktop\file.exeCode function: 0_2_00414ED0 mov eax, dword ptr fs:[00000030h]0_2_00414ED0
                          Source: C:\Users\user\Desktop\file.exeCode function: 0_2_00414ED0 mov eax, dword ptr fs:[00000030h]0_2_00414ED0
                          Source: C:\Users\user\Desktop\file.exeCode function: 0_2_00414ED0 mov eax, dword ptr fs:[00000030h]0_2_00414ED0
                          Source: C:\Users\user\Desktop\file.exeCode function: 0_2_00414ED0 mov eax, dword ptr fs:[00000030h]0_2_00414ED0
                          Source: C:\Users\user\Desktop\file.exeCode function: 0_2_00414ED0 mov eax, dword ptr fs:[00000030h]0_2_00414ED0
                          Source: C:\Users\user\Desktop\file.exeCode function: 0_2_0041AB90 mov eax, dword ptr fs:[00000030h]0_2_0041AB90
                          Source: C:\Users\user\Desktop\file.exeCode function: 0_2_0041EF10 mov eax, dword ptr fs:[00000030h]0_2_0041EF10
                          Source: C:\ProgramData\MPGPH131\MPGPH131.exeCode function: 8_2_0045E5D4 mov eax, dword ptr fs:[00000030h]8_2_0045E5D4
                          Source: C:\ProgramData\MPGPH131\MPGPH131.exeCode function: 8_2_0045E5D4 mov ecx, dword ptr fs:[00000030h]8_2_0045E5D4
                          Source: C:\ProgramData\MPGPH131\MPGPH131.exeCode function: 8_2_0045EA9C mov eax, dword ptr fs:[00000030h]8_2_0045EA9C
                          Source: C:\ProgramData\MPGPH131\MPGPH131.exeCode function: 8_2_0045EA9C mov eax, dword ptr fs:[00000030h]8_2_0045EA9C
                          Source: C:\ProgramData\MPGPH131\MPGPH131.exeCode function: 8_2_0045EA9C mov eax, dword ptr fs:[00000030h]8_2_0045EA9C
                          Source: C:\ProgramData\MPGPH131\MPGPH131.exeCode function: 8_2_0045EA9C mov eax, dword ptr fs:[00000030h]8_2_0045EA9C
                          Source: C:\ProgramData\MPGPH131\MPGPH131.exeCode function: 8_2_0045EA9C mov eax, dword ptr fs:[00000030h]8_2_0045EA9C
                          Source: C:\ProgramData\MPGPH131\MPGPH131.exeCode function: 8_2_0045EA9C mov eax, dword ptr fs:[00000030h]8_2_0045EA9C
                          Source: C:\ProgramData\MPGPH131\MPGPH131.exeCode function: 8_2_0045EA9C mov eax, dword ptr fs:[00000030h]8_2_0045EA9C
                          Source: C:\ProgramData\MPGPH131\MPGPH131.exeCode function: 8_2_0045EA9C mov eax, dword ptr fs:[00000030h]8_2_0045EA9C
                          Source: C:\ProgramData\MPGPH131\MPGPH131.exeCode function: 8_2_0045EA9C mov eax, dword ptr fs:[00000030h]8_2_0045EA9C
                          Source: C:\ProgramData\MPGPH131\MPGPH131.exeCode function: 8_2_0045EA9C mov eax, dword ptr fs:[00000030h]8_2_0045EA9C
                          Source: C:\ProgramData\MPGPH131\MPGPH131.exeCode function: 8_2_0045EA9C mov eax, dword ptr fs:[00000030h]8_2_0045EA9C
                          Source: C:\ProgramData\MPGPH131\MPGPH131.exeCode function: 8_2_0045EA9C mov eax, dword ptr fs:[00000030h]8_2_0045EA9C
                          Source: C:\ProgramData\MPGPH131\MPGPH131.exeCode function: 8_2_0045EA9C mov eax, dword ptr fs:[00000030h]8_2_0045EA9C
                          Source: C:\ProgramData\MPGPH131\MPGPH131.exeCode function: 8_2_0045EA9C mov eax, dword ptr fs:[00000030h]8_2_0045EA9C
                          Source: C:\ProgramData\MPGPH131\MPGPH131.exeCode function: 8_2_0045EA9C mov eax, dword ptr fs:[00000030h]8_2_0045EA9C
                          Source: C:\ProgramData\MPGPH131\MPGPH131.exeCode function: 8_2_0045EA9C mov eax, dword ptr fs:[00000030h]8_2_0045EA9C
                          Source: C:\ProgramData\MPGPH131\MPGPH131.exeCode function: 8_2_0041AB90 mov eax, dword ptr fs:[00000030h]8_2_0041AB90
                          Source: C:\ProgramData\MPGPH131\MPGPH131.exeCode function: 8_2_0045D9F0 mov eax, dword ptr fs:[00000030h]8_2_0045D9F0
                          Source: C:\ProgramData\MPGPH131\MPGPH131.exeCode function: 8_2_0045D9F0 mov eax, dword ptr fs:[00000030h]8_2_0045D9F0
                          Source: C:\ProgramData\MPGPH131\MPGPH131.exeCode function: 8_2_0045DDE5 mov eax, dword ptr fs:[00000030h]8_2_0045DDE5
                          Source: C:\ProgramData\MPGPH131\MPGPH131.exeCode function: 8_2_0045DDE5 mov eax, dword ptr fs:[00000030h]8_2_0045DDE5
                          Source: C:\ProgramData\MPGPH131\MPGPH131.exeCode function: 8_2_0045DDE5 mov eax, dword ptr fs:[00000030h]8_2_0045DDE5
                          Source: C:\ProgramData\MPGPH131\MPGPH131.exeCode function: 8_2_0045DDE5 mov eax, dword ptr fs:[00000030h]8_2_0045DDE5
                          Source: C:\ProgramData\MPGPH131\MPGPH131.exeCode function: 8_2_0041AB90 mov eax, dword ptr fs:[00000030h]8_2_0041AB90
                          Source: C:\ProgramData\MPGPH131\MPGPH131.exeCode function: 8_2_004160B0 mov ecx, dword ptr fs:[00000030h]8_2_004160B0
                          Source: C:\ProgramData\MPGPH131\MPGPH131.exeCode function: 8_2_0041AB90 mov eax, dword ptr fs:[00000030h]8_2_0041AB90
                          Source: C:\ProgramData\MPGPH131\MPGPH131.exeCode function: 8_2_00414870 mov eax, dword ptr fs:[00000030h]8_2_00414870
                          Source: C:\ProgramData\MPGPH131\MPGPH131.exeCode function: 8_2_0043CA90 mov eax, dword ptr fs:[00000030h]8_2_0043CA90
                          Source: C:\ProgramData\MPGPH131\MPGPH131.exeCode function: 8_2_00414ED0 mov eax, dword ptr fs:[00000030h]8_2_00414ED0
                          Source: C:\ProgramData\MPGPH131\MPGPH131.exeCode function: 8_2_00414ED0 mov eax, dword ptr fs:[00000030h]8_2_00414ED0
                          Source: C:\ProgramData\MPGPH131\MPGPH131.exeCode function: 8_2_00414ED0 mov eax, dword ptr fs:[00000030h]8_2_00414ED0
                          Source: C:\ProgramData\MPGPH131\MPGPH131.exeCode function: 8_2_00414ED0 mov eax, dword ptr fs:[00000030h]8_2_00414ED0
                          Source: C:\ProgramData\MPGPH131\MPGPH131.exeCode function: 8_2_00414ED0 mov eax, dword ptr fs:[00000030h]8_2_00414ED0
                          Source: C:\ProgramData\MPGPH131\MPGPH131.exeCode function: 8_2_00414ED0 mov eax, dword ptr fs:[00000030h]8_2_00414ED0
                          Source: C:\ProgramData\MPGPH131\MPGPH131.exeCode function: 8_2_00414ED0 mov eax, dword ptr fs:[00000030h]8_2_00414ED0
                          Source: C:\ProgramData\MPGPH131\MPGPH131.exeCode function: 8_2_00414ED0 mov eax, dword ptr fs:[00000030h]8_2_00414ED0
                          Source: C:\ProgramData\MPGPH131\MPGPH131.exeCode function: 8_2_00414ED0 mov eax, dword ptr fs:[00000030h]8_2_00414ED0
                          Source: C:\ProgramData\MPGPH131\MPGPH131.exeCode function: 8_2_00414ED0 mov eax, dword ptr fs:[00000030h]8_2_00414ED0
                          Source: C:\ProgramData\MPGPH131\MPGPH131.exeCode function: 8_2_00414ED0 mov eax, dword ptr fs:[00000030h]8_2_00414ED0
                          Source: C:\ProgramData\MPGPH131\MPGPH131.exeCode function: 8_2_00414ED0 mov eax, dword ptr fs:[00000030h]8_2_00414ED0
                          Source: C:\ProgramData\MPGPH131\MPGPH131.exeCode function: 8_2_0041AB90 mov eax, dword ptr fs:[00000030h]8_2_0041AB90
                          Source: C:\ProgramData\MPGPH131\MPGPH131.exeCode function: 8_2_0041EF10 mov eax, dword ptr fs:[00000030h]8_2_0041EF10
                          Source: C:\Users\user\Desktop\file.exeCode function: 0_2_00482C80 GetProcessHeap,InternetOpenA,InternetOpenUrlA,InternetReadFile,InternetReadFile,InternetCloseHandle,InternetCloseHandle,0_2_00482C80
                          Source: C:\ProgramData\MPGPH131\MPGPH131.exeCode function: 8_2_004DD3B4 IsProcessorFeaturePresent,IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,8_2_004DD3B4
                          Source: C:\ProgramData\MPGPH131\MPGPH131.exeCode function: 8_2_004DD74D SetUnhandledExceptionFilter,UnhandledExceptionFilter,GetCurrentProcess,TerminateProcess,8_2_004DD74D

                          HIPS / PFW / Operating System Protection Evasion

                          barindex
                          Contains functionality to inject threads in other processes
                          Source: C:\Users\user\Desktop\file.exeCode function: 0_2_00418BB0 VirtualAllocEx,WriteProcessMemory,WriteProcessMemory,VirtualAllocEx,LoadLibraryA,GetProcAddress,WriteProcessMemory,WriteProcessMemory,CreateRemoteThread,WaitForSingleObject,0_2_00418BB0
                          Source: C:\ProgramData\MPGPH131\MPGPH131.exeCode function: 8_2_00418BB0 VirtualAllocEx,WriteProcessMemory,WriteProcessMemory,VirtualAllocEx,LoadLibraryA,GetProcAddress,WriteProcessMemory,WriteProcessMemory,CreateRemoteThread,WaitForSingleObject,8_2_00418BB0
                          Source: C:\Users\user\Desktop\file.exeCode function: 0_2_004149F0 cpuid 0_2_004149F0
                          Source: C:\Users\user\Desktop\file.exeCode function: RegOpenKeyExA,RegQueryValueExA,RegCloseKey,GetCurrentHwProfileA,GetModuleHandleExA,GetModuleFileNameA,RegOpenKeyExA,RegQueryValueExA,RegCloseKey,GetComputerNameA,GetUserNameA,GetDesktopWindow,GetWindowRect,GetUserDefaultLocaleName,GetKeyboardLayoutList,GetKeyboardLayoutList,LocalAlloc,GetKeyboardLayoutList,GetLocaleInfoA,LocalFree,GetLocalTime,GetSystemTime,GetTimeZoneInformation,TzSpecificLocalTimeToSystemTime,RegOpenKeyExA,RegQueryValueExA,RegCloseKey,GetSystemInfo,GlobalMemoryStatusEx,EnumDisplayDevicesA,EnumDisplayDevicesA,CreateToolhelp32Snapshot,Process32First,Process32Next,Process32Next,CloseHandle,RegOpenKeyExA,RegEnumKeyExA,wsprintfA,RegOpenKeyExA,RegQueryValueExA,RegQueryValueExA,RegCloseKey,RegCloseKey,0_2_0040CD50
                          Source: C:\Users\user\Desktop\file.exeCode function: EnumSystemLocalesW,0_2_004FC045
                          Source: C:\Users\user\Desktop\file.exeCode function: EnumSystemLocalesW,0_2_004FC090
                          Source: C:\Users\user\Desktop\file.exeCode function: EnumSystemLocalesW,0_2_004FC12B
                          Source: C:\Users\user\Desktop\file.exeCode function: GetLocaleInfoW,GetLocaleInfoW,GetLocaleInfoW,0_2_004FC1B6
                          Source: C:\Users\user\Desktop\file.exeCode function: EnumSystemLocalesW,0_2_004F43EA
                          Source: C:\Users\user\Desktop\file.exeCode function: GetLocaleInfoW,0_2_004FC409
                          Source: C:\Users\user\Desktop\file.exeCode function: GetLocaleInfoW,GetLocaleInfoW,GetACP,0_2_004FC532
                          Source: C:\Users\user\Desktop\file.exeCode function: GetLocaleInfoW,0_2_004FC638
                          Source: C:\Users\user\Desktop\file.exeCode function: GetUserDefaultLCID,IsValidCodePage,IsValidLocale,GetLocaleInfoW,GetLocaleInfoW,0_2_004FC70E
                          Source: C:\Users\user\Desktop\file.exeCode function: GetLocaleInfoW,0_2_004F496D
                          Source: C:\Users\user\Desktop\file.exeCode function: GetLocaleInfoEx,FormatMessageA,0_2_004DAFC3
                          Source: C:\ProgramData\MPGPH131\MPGPH131.exeCode function: EnumSystemLocalesW,8_2_004FC045
                          Source: C:\ProgramData\MPGPH131\MPGPH131.exeCode function: EnumSystemLocalesW,8_2_004FC090
                          Source: C:\ProgramData\MPGPH131\MPGPH131.exeCode function: EnumSystemLocalesW,8_2_004FC12B
                          Source: C:\ProgramData\MPGPH131\MPGPH131.exeCode function: GetLocaleInfoW,GetLocaleInfoW,GetLocaleInfoW,8_2_004FC1B6
                          Source: C:\ProgramData\MPGPH131\MPGPH131.exeCode function: EnumSystemLocalesW,8_2_004F43EA
                          Source: C:\ProgramData\MPGPH131\MPGPH131.exeCode function: GetLocaleInfoW,8_2_004FC409
                          Source: C:\ProgramData\MPGPH131\MPGPH131.exeCode function: GetLocaleInfoW,GetLocaleInfoW,GetACP,8_2_004FC532
                          Source: C:\ProgramData\MPGPH131\MPGPH131.exeCode function: GetLocaleInfoW,8_2_004FC638
                          Source: C:\ProgramData\MPGPH131\MPGPH131.exeCode function: GetUserDefaultLCID,IsValidCodePage,IsValidLocale,GetLocaleInfoW,GetLocaleInfoW,8_2_004FC70E
                          Source: C:\ProgramData\MPGPH131\MPGPH131.exeCode function: GetLocaleInfoW,8_2_004F496D
                          Source: C:\ProgramData\MPGPH131\MPGPH131.exeCode function: RegOpenKeyExA,RegQueryValueExA,RegCloseKey,GetCurrentHwProfileA,GetModuleHandleExA,GetModuleFileNameA,RegOpenKeyExA,RegQueryValueExA,RegCloseKey,GetComputerNameA,GetUserNameA,GetDesktopWindow,GetWindowRect,GetUserDefaultLocaleName,GetKeyboardLayoutList,GetKeyboardLayoutList,LocalAlloc,GetKeyboardLayoutList,GetLocaleInfoA,LocalFree,GetLocalTime,GetSystemTime,GetTimeZoneInformation,TzSpecificLocalTimeToSystemTime,RegOpenKeyExA,RegQueryValueExA,RegCloseKey,GetSystemInfo,GlobalMemoryStatusEx,EnumDisplayDevicesA,EnumDisplayDevicesA,CreateToolhelp32Snapshot,Process32First,Process32Next,Process32Next,CloseHandle,RegOpenKeyExA,RegEnumKeyExA,wsprintfA,RegOpenKeyExA,RegQueryValueExA,RegQueryValueExA,RegCloseKey,RegCloseKey,8_2_0040CD50
                          Source: C:\ProgramData\MPGPH131\MPGPH131.exeCode function: GetLocaleInfoEx,FormatMessageA,8_2_004DAFC3
                          Source: C:\Users\user\Desktop\file.exeRegistry key value queried: HKEY_LOCAL_MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0Jump to behavior
                          Source: C:\Users\user\Desktop\file.exeRegistry key value queried: HKEY_LOCAL_MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0Jump to behavior
                          Source: C:\Users\user\AppData\Local\RageMP131\RageMP131.exeRegistry key value queried: HKEY_LOCAL_MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0
                          Source: C:\Users\user\AppData\Local\RageMP131\RageMP131.exeRegistry key value queried: HKEY_LOCAL_MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0
                          Source: C:\Users\user\AppData\Local\RageMP131\RageMP131.exeRegistry key value queried: HKEY_LOCAL_MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0
                          Source: C:\Users\user\AppData\Local\RageMP131\RageMP131.exeRegistry key value queried: HKEY_LOCAL_MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0
                          Source: C:\Users\user\Desktop\file.exeQueries volume information: C:\ VolumeInformationJump to behavior
                          Source: C:\Users\user\Desktop\file.exeQueries volume information: C:\ VolumeInformationJump to behavior
                          Source: C:\ProgramData\MPGPH131\MPGPH131.exeQueries volume information: C:\ VolumeInformationJump to behavior
                          Source: C:\ProgramData\MPGPH131\MPGPH131.exeQueries volume information: C:\ VolumeInformationJump to behavior
                          Source: C:\Users\user\AppData\Local\RageMP131\RageMP131.exeQueries volume information: C:\ VolumeInformation
                          Source: C:\Users\user\AppData\Local\RageMP131\RageMP131.exeQueries volume information: C:\ VolumeInformation
                          Source: C:\Users\user\AppData\Local\RageMP131\RageMP131.exeQueries volume information: C:\ VolumeInformation
                          Source: C:\Users\user\AppData\Local\RageMP131\RageMP131.exeQueries volume information: C:\ VolumeInformation
                          Source: C:\Users\user\Desktop\file.exeCode function: 0_2_0040CD50 RegOpenKeyExA,RegQueryValueExA,RegCloseKey,GetCurrentHwProfileA,GetModuleHandleExA,GetModuleFileNameA,RegOpenKeyExA,RegQueryValueExA,RegCloseKey,GetComputerNameA,GetUserNameA,GetDesktopWindow,GetWindowRect,GetUserDefaultLocaleName,GetKeyboardLayoutList,GetKeyboardLayoutList,LocalAlloc,GetKeyboardLayoutList,GetLocaleInfoA,LocalFree,GetLocalTime,GetSystemTime,GetTimeZoneInformation,TzSpecificLocalTimeToSystemTime,RegOpenKeyExA,RegQueryValueExA,RegCloseKey,GetSystemInfo,GlobalMemoryStatusEx,EnumDisplayDevicesA,EnumDisplayDevicesA,CreateToolhelp32Snapshot,Process32First,Process32Next,Process32Next,CloseHandle,RegOpenKeyExA,RegEnumKeyExA,wsprintfA,RegOpenKeyExA,RegQueryValueExA,RegQueryValueExA,RegCloseKey,RegCloseKey,0_2_0040CD50
                          Source: C:\Users\user\Desktop\file.exeCode function: 0_2_00446020 CopyFileA,RegOpenKeyExA,RegSetValueExA,RegCloseKey,CopyFileA,GetUserNameA,CopyFileA,SHGetFolderPathA,CoInitialize,CoCreateInstance,MultiByteToWideChar,CoUninitialize,ShellExecuteA,0_2_00446020
                          Source: C:\Users\user\Desktop\file.exeCode function: 0_2_004F636F GetTimeZoneInformation,0_2_004F636F
                          Source: C:\Users\user\Desktop\file.exeCode function: 0_2_00491C30 GetVersionExA,CreateFileW,0_2_00491C30
                          Source: C:\Users\user\Desktop\file.exeKey value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Cryptography MachineGuidJump to behavior
                          Source: Amcache.hve.7.drBinary or memory string: c:\programdata\microsoft\windows defender\platform\4.18.23080.2006-0\msmpeng.exe
                          Source: Amcache.hve.7.drBinary or memory string: msmpeng.exe
                          Source: Amcache.hve.7.drBinary or memory string: c:\program files\windows defender\msmpeng.exe
                          Source: Amcache.hve.7.drBinary or memory string: MsMpEng.exe

                          Stealing of Sensitive Information

                          barindex
                          Yara detected RisePro Stealer
                          Source: Yara matchFile source: 8.3.MPGPH131.exe.4a60000.0.raw.unpack, type: UNPACKEDPE
                          Source: Yara matchFile source: 0.2.file.exe.4ac0e67.1.raw.unpack, type: UNPACKEDPE
                          Source: Yara matchFile source: 26.2.RageMP131.exe.400000.0.unpack, type: UNPACKEDPE
                          Source: Yara matchFile source: 8.2.MPGPH131.exe.400000.0.raw.unpack, type: UNPACKEDPE
                          Source: Yara matchFile source: 9.3.MPGPH131.exe.4a10000.0.raw.unpack, type: UNPACKEDPE
                          Source: Yara matchFile source: 17.2.RageMP131.exe.400000.0.raw.unpack, type: UNPACKEDPE
                          Source: Yara matchFile source: 26.3.RageMP131.exe.4c40000.0.raw.unpack, type: UNPACKEDPE
                          Source: Yara matchFile source: 9.2.MPGPH131.exe.400000.0.unpack, type: UNPACKEDPE
                          Source: Yara matchFile source: 8.2.MPGPH131.exe.400000.0.unpack, type: UNPACKEDPE
                          Source: Yara matchFile source: 9.2.MPGPH131.exe.48b0e67.1.raw.unpack, type: UNPACKEDPE
                          Source: Yara matchFile source: 26.2.RageMP131.exe.400000.0.raw.unpack, type: UNPACKEDPE
                          Source: Yara matchFile source: 17.2.RageMP131.exe.4ad0e67.1.raw.unpack, type: UNPACKEDPE
                          Source: Yara matchFile source: 26.2.RageMP131.exe.4ae0e67.1.raw.unpack, type: UNPACKEDPE
                          Source: Yara matchFile source: 0.2.file.exe.400000.0.raw.unpack, type: UNPACKEDPE
                          Source: Yara matchFile source: 17.2.RageMP131.exe.400000.0.unpack, type: UNPACKEDPE
                          Source: Yara matchFile source: 9.2.MPGPH131.exe.400000.0.raw.unpack, type: UNPACKEDPE
                          Source: Yara matchFile source: 8.2.MPGPH131.exe.4900e67.1.raw.unpack, type: UNPACKEDPE
                          Source: Yara matchFile source: 0.2.file.exe.400000.0.unpack, type: UNPACKEDPE
                          Source: Yara matchFile source: 0.3.file.exe.4c20000.0.raw.unpack, type: UNPACKEDPE
                          Source: Yara matchFile source: 17.3.RageMP131.exe.4c30000.0.raw.unpack, type: UNPACKEDPE
                          Source: Yara matchFile source: 00000011.00000003.2307637364.0000000007A99000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
                          Source: Yara matchFile source: 00000000.00000003.2253726342.0000000007A6D000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
                          Source: Yara matchFile source: 00000000.00000002.2258287784.0000000007A6D000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
                          Source: Yara matchFile source: 0000001A.00000002.2603079344.0000000002F47000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
                          Source: Yara matchFile source: 00000008.00000003.2345569703.0000000004A60000.00000004.00001000.00020000.00000000.sdmp, type: MEMORY
                          Source: Yara matchFile source: 00000000.00000002.2256177341.000000000302E000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
                          Source: Yara matchFile source: 00000008.00000002.2555613641.0000000004900000.00000040.00001000.00020000.00000000.sdmp, type: MEMORY
                          Source: Yara matchFile source: 00000000.00000003.1698876622.0000000004C20000.00000004.00001000.00020000.00000000.sdmp, type: MEMORY
                          Source: Yara matchFile source: 00000011.00000002.2352946266.0000000007A40000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
                          Source: Yara matchFile source: 00000011.00000002.2351210254.0000000004AD0000.00000040.00001000.00020000.00000000.sdmp, type: MEMORY
                          Source: Yara matchFile source: 00000011.00000003.1935064684.0000000004C30000.00000004.00001000.00020000.00000000.sdmp, type: MEMORY
                          Source: Yara matchFile source: 00000000.00000002.2254819923.0000000000400000.00000040.00000001.01000000.00000003.sdmp, type: MEMORY
                          Source: Yara matchFile source: 0000001A.00000002.2604404588.0000000007A40000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
                          Source: Yara matchFile source: 00000011.00000002.2348884384.0000000002F7E000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
                          Source: Yara matchFile source: 00000011.00000002.2345301493.0000000000400000.00000040.00000001.01000000.00000007.sdmp, type: MEMORY
                          Source: Yara matchFile source: 00000009.00000003.2355371299.0000000004A10000.00000004.00001000.00020000.00000000.sdmp, type: MEMORY
                          Source: Yara matchFile source: 00000009.00000002.2552333219.0000000000400000.00000040.00000001.01000000.00000005.sdmp, type: MEMORY
                          Source: Yara matchFile source: 00000009.00000002.2555618433.00000000048B0000.00000040.00001000.00020000.00000000.sdmp, type: MEMORY
                          Source: Yara matchFile source: 0000001A.00000002.2601441093.0000000000400000.00000040.00000001.01000000.00000007.sdmp, type: MEMORY
                          Source: Yara matchFile source: 00000008.00000002.2552258510.0000000000400000.00000040.00000001.01000000.00000005.sdmp, type: MEMORY
                          Source: Yara matchFile source: 00000000.00000002.2257395722.0000000004AC0000.00000040.00001000.00020000.00000000.sdmp, type: MEMORY
                          Source: Yara matchFile source: 0000001A.00000003.2050121383.0000000004C40000.00000004.00001000.00020000.00000000.sdmp, type: MEMORY
                          Source: Yara matchFile source: 0000001A.00000002.2603802110.0000000004AE0000.00000040.00001000.00020000.00000000.sdmp, type: MEMORY
                          Source: Yara matchFile source: Process Memory Space: file.exe PID: 7328, type: MEMORYSTR
                          Source: Yara matchFile source: Process Memory Space: MPGPH131.exe PID: 7584, type: MEMORYSTR
                          Source: Yara matchFile source: Process Memory Space: MPGPH131.exe PID: 7592, type: MEMORYSTR
                          Source: Yara matchFile source: Process Memory Space: RageMP131.exe PID: 7988, type: MEMORYSTR
                          Source: Yara matchFile source: Process Memory Space: RageMP131.exe PID: 2352, type: MEMORYSTR
                          Source: Yara matchFile source: C:\Users\user\AppData\Local\Temp\dSyaNbAby9QXs4RBu3VN33H.zip, type: DROPPED
                          Source: Yara matchFile source: C:\Users\user\AppData\Local\Temp\e_uwnYJDOrnylP4tGD1vKSo.zip, type: DROPPED
                          Source: Yara matchFile source: C:\Users\user\AppData\Local\Temp\OfCx6VeglYVpWTwI9NddWAo.zip, type: DROPPED
                          Found many strings related to Crypto-Wallets (likely being stolen)
                          Source: file.exe, 00000000.00000003.2222334467.0000000007A9C000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: \??\C:\Users\user\AppData\Roaming\Electrum-LTC\walletsH
                          Source: file.exe, 00000000.00000003.2222334467.0000000007A9C000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: C:\Users\user\AppData\Roaming\ElectronCash\wallets
                          Source: file.exe, 00000000.00000002.2256177341.00000000030B6000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: \??\C:\Users\user\AppData\Roaming\com.liberty.jaxx
                          Source: file.exe, 00000000.00000002.2256177341.00000000030B6000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: C:\Users\user\AppData\Roaming\Exodus\exodus.walletE>
                          Source: RageMP131.exe, 00000011.00000003.2305959394.0000000003058000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: C:\Users\user\AppData\Roaming\Ethereum\wallets=]
                          Source: file.exe, 00000000.00000002.2256177341.00000000030B6000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: C:\Users\user\AppData\Roaming\Exodus\exodus.walletE>
                          Source: file.exe, 00000000.00000003.2222334467.0000000007A9C000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: C:\Users\user\AppData\Roaming\Binance\app-store.json
                          Source: RageMP131.exe, 00000011.00000003.2305959394.0000000003058000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: C:\Users\user\AppData\Roaming\Ethereum\wallets=]
                          Source: file.exe, 00000000.00000003.2222334467.0000000007A9C000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: C:\Users\user\AppData\Local\Coinomi\Coinomi\wallets*
                          Source: file.exe, 00000000.00000003.2222334467.0000000007A9C000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: C:\Users\user\AppData\Roaming\MultiDoge\multidoge.wallet
                          Source: RageMP131.exe, 00000011.00000003.2305959394.0000000003058000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: C:\Users\user\AppData\Roaming\Exodus\exodus.wallet\GN
                          Source: file.exe, 00000000.00000002.2256177341.000000000307B000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: C:\Users\user\AppData\Roaming\Ledger Live
                          Tries to harvest and steal browser information (history, passwords, etc)
                          Source: C:\Users\user\AppData\Local\RageMP131\RageMP131.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\kncchdigobghenbbaddojjnnaogfppfj\CURRENT
                          Source: C:\Users\user\AppData\Local\RageMP131\RageMP131.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\nkddgncdjgjfcddamfgcmfnlhccnimig\CURRENT
                          Source: C:\Users\user\AppData\Local\RageMP131\RageMP131.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Sync Extension Settings\fihkakfobkmkjojpchpfgcmhfjnmnfpi\CURRENT
                          Source: C:\Users\user\AppData\Local\RageMP131\RageMP131.exeFile opened: C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\z6bny8rn.default\places.sqlite
                          Source: C:\Users\user\AppData\Local\RageMP131\RageMP131.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\nanjmdknhkinifnkgdcggcfnhdaammmj\CURRENT
                          Source: C:\Users\user\AppData\Local\RageMP131\RageMP131.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\cphhlgmgameodnhkjdmkpanlelnlohao\CURRENT
                          Source: C:\Users\user\AppData\Local\RageMP131\RageMP131.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\kpfopkelmapcoipemfendmdcghnegimn\CURRENT
                          Source: C:\Users\user\AppData\Local\RageMP131\RageMP131.exeFile opened: C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\fqs92o4p.default-release\formhistory.sqlite
                          Source: C:\Users\user\AppData\Local\RageMP131\RageMP131.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\fihkakfobkmkjojpchpfgcmhfjnmnfpi\CURRENT
                          Source: C:\Users\user\AppData\Local\RageMP131\RageMP131.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Sync Extension Settings\kncchdigobghenbbaddojjnnaogfppfj\CURRENT
                          Source: C:\Users\user\AppData\Local\RageMP131\RageMP131.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\IndexedDB\chrome-extension_blnieiiffboillknjnepogjhkgnoapac_0.indexeddb.leveldb\CURRENT
                          Source: C:\Users\user\AppData\Local\RageMP131\RageMP131.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\IndexedDB\chrome-extension_cjelfplplebdjjenllpjcblmjkfcffne_0.indexeddb.leveldb\CURRENT
                          Source: C:\Users\user\AppData\Local\RageMP131\RageMP131.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Sync Extension Settings\nanjmdknhkinifnkgdcggcfnhdaammmj\CURRENT
                          Source: C:\Users\user\AppData\Local\RageMP131\RageMP131.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\amkmjjmmflddogmhpjloimipbofnfjih\CURRENT
                          Source: C:\Users\user\AppData\Local\RageMP131\RageMP131.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\nkbihfbeogaeaoehlefnkodbefgpgknn\CURRENT
                          Source: C:\Users\user\AppData\Local\RageMP131\RageMP131.exeFile opened: C:\Users\user\AppData\Roaming\Mozilla\Firefox\profiles.ini
                          Source: C:\Users\user\AppData\Local\RageMP131\RageMP131.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Sync Extension Settings\hpglfhgfnhbgpjdenjgmdgoeiappafln\CURRENT
                          Source: C:\Users\user\AppData\Local\RageMP131\RageMP131.exeFile opened: C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\z6bny8rn.default\signons.sqlite
                          Source: C:\Users\user\AppData\Local\RageMP131\RageMP131.exeFile opened: C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\fqs92o4p.default-release\logins.json
                          Source: C:\Users\user\AppData\Local\RageMP131\RageMP131.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Sync Extension Settings\blnieiiffboillknjnepogjhkgnoapac\CURRENT
                          Source: C:\Users\user\AppData\Local\RageMP131\RageMP131.exeFile opened: C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\z6bny8rn.default\formhistory.sqlite
                          Source: C:\Users\user\AppData\Local\RageMP131\RageMP131.exeFile opened: C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\fqs92o4p.default-release\places.sqlite
                          Source: C:\Users\user\AppData\Local\RageMP131\RageMP131.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Sync Extension Settings\fnjhmkhhmkbjkkabndcnnogagogbneec\CURRENT
                          Source: C:\Users\user\AppData\Local\RageMP131\RageMP131.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\fnjhmkhhmkbjkkabndcnnogagogbneec\CURRENT
                          Source: C:\Users\user\AppData\Local\RageMP131\RageMP131.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\hpglfhgfnhbgpjdenjgmdgoeiappafln\CURRENT
                          Source: C:\Users\user\AppData\Local\RageMP131\RageMP131.exeFile opened: C:\Users\user\AppData\Roaming\8pecxstudios\Cyberfox\profiles.ini
                          Source: C:\Users\user\AppData\Local\RageMP131\RageMP131.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\blnieiiffboillknjnepogjhkgnoapac\CURRENT
                          Source: C:\Users\user\AppData\Local\RageMP131\RageMP131.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\nhnkbkgjikgcigadomkphalanndcapjk\CURRENT
                          Source: C:\Users\user\AppData\Local\RageMP131\RageMP131.exeFile opened: C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\fqs92o4p.default-release\signons.sqlite
                          Source: C:\Users\user\AppData\Local\RageMP131\RageMP131.exeFile opened: C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\z6bny8rn.default\logins.json
                          Source: C:\Users\user\AppData\Local\RageMP131\RageMP131.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Sync Extension Settings\amkmjjmmflddogmhpjloimipbofnfjih\CURRENT
                          Source: C:\Users\user\AppData\Local\RageMP131\RageMP131.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Sync Extension Settings\nlbmnnijcnlegkjjpcfjclmcfggfefdm\CURRENT
                          Source: C:\Users\user\AppData\Local\RageMP131\RageMP131.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Sync Extension Settings\bhghoamapcdpbohphigoooaddinpkbai\CURRENT
                          Source: C:\Users\user\AppData\Local\RageMP131\RageMP131.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Sync Extension Settings\cphhlgmgameodnhkjdmkpanlelnlohao\CURRENT
                          Source: C:\Users\user\AppData\Local\RageMP131\RageMP131.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Sync Extension Settings\nkbihfbeogaeaoehlefnkodbefgpgknn\CURRENT
                          Source: C:\Users\user\AppData\Local\RageMP131\RageMP131.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Sync Extension Settings\nkddgncdjgjfcddamfgcmfnlhccnimig\CURRENT
                          Source: C:\Users\user\AppData\Local\RageMP131\RageMP131.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\cjelfplplebdjjenllpjcblmjkfcffne\CURRENT
                          Source: C:\Users\user\AppData\Local\RageMP131\RageMP131.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\bhghoamapcdpbohphigoooaddinpkbai\CURRENT
                          Source: C:\Users\user\AppData\Local\RageMP131\RageMP131.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Sync Extension Settings\nhnkbkgjikgcigadomkphalanndcapjk\CURRENT
                          Source: C:\Users\user\AppData\Local\RageMP131\RageMP131.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Sync Extension Settings\kpfopkelmapcoipemfendmdcghnegimn\CURRENT
                          Source: C:\Users\user\AppData\Local\RageMP131\RageMP131.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\nlbmnnijcnlegkjjpcfjclmcfggfefdm\CURRENT
                          Source: C:\Users\user\AppData\Local\RageMP131\RageMP131.exeFile opened: C:\Users\user\AppData\Roaming\NETGATE Technologies\BlackHawk\profiles.ini
                          Source: C:\Users\user\AppData\Local\RageMP131\RageMP131.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Sync Extension Settings\cjelfplplebdjjenllpjcblmjkfcffne\CURRENT
                          Tries to steal Mail credentials (via file / registry access)
                          Source: C:\Users\user\Desktop\file.exeFile opened: C:\Users\user\AppData\Roaming\Thunderbird\profiles.iniJump to behavior
                          Source: C:\Users\user\Desktop\file.exeFile opened: C:\Users\user\AppData\Roaming\Thunderbird\profiles.iniJump to behavior
                          Source: C:\Users\user\Desktop\file.exeKey opened: HKEY_CURRENT_USER\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676Jump to behavior
                          Source: C:\Users\user\AppData\Local\RageMP131\RageMP131.exeFile opened: C:\Users\user\AppData\Roaming\Thunderbird\profiles.ini
                          Source: C:\Users\user\AppData\Local\RageMP131\RageMP131.exeFile opened: C:\Users\user\AppData\Roaming\Thunderbird\profiles.ini
                          Source: C:\Users\user\AppData\Local\RageMP131\RageMP131.exeKey opened: HKEY_CURRENT_USER\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676
                          Source: C:\Users\user\AppData\Local\RageMP131\RageMP131.exeFile opened: C:\Users\user\AppData\Roaming\Thunderbird\profiles.ini
                          Source: C:\Users\user\AppData\Local\RageMP131\RageMP131.exeFile opened: C:\Users\user\AppData\Roaming\Thunderbird\profiles.ini
                          Source: C:\Users\user\AppData\Local\RageMP131\RageMP131.exeKey opened: HKEY_CURRENT_USER\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676
                          Source: Yara matchFile source: 00000011.00000003.2305959394.0000000003058000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
                          Source: Yara matchFile source: 00000011.00000002.2349974931.0000000003002000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
                          Source: Yara matchFile source: 00000000.00000002.2256177341.00000000030B6000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
                          Source: Yara matchFile source: 00000011.00000003.2343081719.0000000003065000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
                          Source: Yara matchFile source: 00000011.00000002.2350560658.0000000003069000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
                          Source: Yara matchFile source: 00000011.00000003.2307237063.0000000003058000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
                          Source: Yara matchFile source: 00000011.00000003.2307237063.0000000003002000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
                          Source: Yara matchFile source: Process Memory Space: file.exe PID: 7328, type: MEMORYSTR
                          Source: Yara matchFile source: Process Memory Space: RageMP131.exe PID: 7988, type: MEMORYSTR
                          Source: Yara matchFile source: Process Memory Space: RageMP131.exe PID: 2352, type: MEMORYSTR

                          Remote Access Functionality

                          barindex
                          Yara detected RisePro Stealer
                          Source: Yara matchFile source: 8.3.MPGPH131.exe.4a60000.0.raw.unpack, type: UNPACKEDPE
                          Source: Yara matchFile source: 0.2.file.exe.4ac0e67.1.raw.unpack, type: UNPACKEDPE
                          Source: Yara matchFile source: 26.2.RageMP131.exe.400000.0.unpack, type: UNPACKEDPE
                          Source: Yara matchFile source: 8.2.MPGPH131.exe.400000.0.raw.unpack, type: UNPACKEDPE
                          Source: Yara matchFile source: 9.3.MPGPH131.exe.4a10000.0.raw.unpack, type: UNPACKEDPE
                          Source: Yara matchFile source: 17.2.RageMP131.exe.400000.0.raw.unpack, type: UNPACKEDPE
                          Source: Yara matchFile source: 26.3.RageMP131.exe.4c40000.0.raw.unpack, type: UNPACKEDPE
                          Source: Yara matchFile source: 9.2.MPGPH131.exe.400000.0.unpack, type: UNPACKEDPE
                          Source: Yara matchFile source: 8.2.MPGPH131.exe.400000.0.unpack, type: UNPACKEDPE
                          Source: Yara matchFile source: 9.2.MPGPH131.exe.48b0e67.1.raw.unpack, type: UNPACKEDPE
                          Source: Yara matchFile source: 26.2.RageMP131.exe.400000.0.raw.unpack, type: UNPACKEDPE
                          Source: Yara matchFile source: 17.2.RageMP131.exe.4ad0e67.1.raw.unpack, type: UNPACKEDPE
                          Source: Yara matchFile source: 26.2.RageMP131.exe.4ae0e67.1.raw.unpack, type: UNPACKEDPE
                          Source: Yara matchFile source: 0.2.file.exe.400000.0.raw.unpack, type: UNPACKEDPE
                          Source: Yara matchFile source: 17.2.RageMP131.exe.400000.0.unpack, type: UNPACKEDPE
                          Source: Yara matchFile source: 9.2.MPGPH131.exe.400000.0.raw.unpack, type: UNPACKEDPE
                          Source: Yara matchFile source: 8.2.MPGPH131.exe.4900e67.1.raw.unpack, type: UNPACKEDPE
                          Source: Yara matchFile source: 0.2.file.exe.400000.0.unpack, type: UNPACKEDPE
                          Source: Yara matchFile source: 0.3.file.exe.4c20000.0.raw.unpack, type: UNPACKEDPE
                          Source: Yara matchFile source: 17.3.RageMP131.exe.4c30000.0.raw.unpack, type: UNPACKEDPE
                          Source: Yara matchFile source: 00000011.00000003.2307637364.0000000007A99000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
                          Source: Yara matchFile source: 00000000.00000003.2253726342.0000000007A6D000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
                          Source: Yara matchFile source: 00000000.00000002.2258287784.0000000007A6D000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
                          Source: Yara matchFile source: 0000001A.00000002.2603079344.0000000002F47000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
                          Source: Yara matchFile source: 00000008.00000003.2345569703.0000000004A60000.00000004.00001000.00020000.00000000.sdmp, type: MEMORY
                          Source: Yara matchFile source: 00000000.00000002.2256177341.000000000302E000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
                          Source: Yara matchFile source: 00000008.00000002.2555613641.0000000004900000.00000040.00001000.00020000.00000000.sdmp, type: MEMORY
                          Source: Yara matchFile source: 00000000.00000003.1698876622.0000000004C20000.00000004.00001000.00020000.00000000.sdmp, type: MEMORY
                          Source: Yara matchFile source: 00000011.00000002.2352946266.0000000007A40000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
                          Source: Yara matchFile source: 00000011.00000002.2351210254.0000000004AD0000.00000040.00001000.00020000.00000000.sdmp, type: MEMORY
                          Source: Yara matchFile source: 00000011.00000003.1935064684.0000000004C30000.00000004.00001000.00020000.00000000.sdmp, type: MEMORY
                          Source: Yara matchFile source: 00000000.00000002.2254819923.0000000000400000.00000040.00000001.01000000.00000003.sdmp, type: MEMORY
                          Source: Yara matchFile source: 0000001A.00000002.2604404588.0000000007A40000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
                          Source: Yara matchFile source: 00000011.00000002.2348884384.0000000002F7E000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
                          Source: Yara matchFile source: 00000011.00000002.2345301493.0000000000400000.00000040.00000001.01000000.00000007.sdmp, type: MEMORY
                          Source: Yara matchFile source: 00000009.00000003.2355371299.0000000004A10000.00000004.00001000.00020000.00000000.sdmp, type: MEMORY
                          Source: Yara matchFile source: 00000009.00000002.2552333219.0000000000400000.00000040.00000001.01000000.00000005.sdmp, type: MEMORY
                          Source: Yara matchFile source: 00000009.00000002.2555618433.00000000048B0000.00000040.00001000.00020000.00000000.sdmp, type: MEMORY
                          Source: Yara matchFile source: 0000001A.00000002.2601441093.0000000000400000.00000040.00000001.01000000.00000007.sdmp, type: MEMORY
                          Source: Yara matchFile source: 00000008.00000002.2552258510.0000000000400000.00000040.00000001.01000000.00000005.sdmp, type: MEMORY
                          Source: Yara matchFile source: 00000000.00000002.2257395722.0000000004AC0000.00000040.00001000.00020000.00000000.sdmp, type: MEMORY
                          Source: Yara matchFile source: 0000001A.00000003.2050121383.0000000004C40000.00000004.00001000.00020000.00000000.sdmp, type: MEMORY
                          Source: Yara matchFile source: 0000001A.00000002.2603802110.0000000004AE0000.00000040.00001000.00020000.00000000.sdmp, type: MEMORY
                          Source: Yara matchFile source: Process Memory Space: file.exe PID: 7328, type: MEMORYSTR
                          Source: Yara matchFile source: Process Memory Space: MPGPH131.exe PID: 7584, type: MEMORYSTR
                          Source: Yara matchFile source: Process Memory Space: MPGPH131.exe PID: 7592, type: MEMORYSTR
                          Source: Yara matchFile source: Process Memory Space: RageMP131.exe PID: 7988, type: MEMORYSTR
                          Source: Yara matchFile source: Process Memory Space: RageMP131.exe PID: 2352, type: MEMORYSTR
                          Source: Yara matchFile source: C:\Users\user\AppData\Local\Temp\dSyaNbAby9QXs4RBu3VN33H.zip, type: DROPPED
                          Source: Yara matchFile source: C:\Users\user\AppData\Local\Temp\e_uwnYJDOrnylP4tGD1vKSo.zip, type: DROPPED
                          Source: Yara matchFile source: C:\Users\user\AppData\Local\Temp\OfCx6VeglYVpWTwI9NddWAo.zip, type: DROPPED

                          Mitre Att&ck Matrix

                          ReconnaissanceResource DevelopmentInitial AccessExecutionPersistencePrivilege EscalationDefense EvasionCredential AccessDiscoveryLateral MovementCollectionCommand and ControlExfiltrationImpact
                          Gather Victim Identity InformationAcquire InfrastructureValid Accounts21
                          Native API                          		1
                          DLL Side-Loading                          		1
                          DLL Side-Loading                          		1
                          Deobfuscate/Decode Files or Information                          		1
                          OS Credential Dumping                          		12
                          System Time Discovery                          		Remote Services1
                          Archive Collected Data                          		2
                          Ingress Tool Transfer                          		Exfiltration Over Other Network MediumAbuse Accessibility Features
                          CredentialsDomainsDefault Accounts2
                          Command and Scripting Interpreter                          		1
                          Scheduled Task/Job                          		11
                          Process Injection                          		2
                          Obfuscated Files or Information                          		LSASS Memory1
                          Account Discovery                          		Remote Desktop Protocol2
                          Data from Local System                          		21
                          Encrypted Channel                          		Exfiltration Over BluetoothNetwork Denial of Service
                          Email AddressesDNS ServerDomain Accounts1
                          Scheduled Task/Job                          		1
                          Registry Run Keys / Startup Folder                          		1
                          Scheduled Task/Job                          		2
                          Software Packing                          		Security Account Manager2
                          File and Directory Discovery                          		SMB/Windows Admin Shares1
                          Email Collection                          		1
                          Non-Standard Port                          		Automated ExfiltrationData Encrypted for Impact
                          Employee NamesVirtual Private ServerLocal AccountsCronLogin Hook1
                          Registry Run Keys / Startup Folder                          		1
                          DLL Side-Loading                          		NTDS57
                          System Information Discovery                          		Distributed Component Object ModelInput Capture2
                          Non-Application Layer Protocol                          		Traffic DuplicationData Destruction
                          Gather Victim Network InformationServerCloud AccountsLaunchdNetwork Logon ScriptNetwork Logon Script1
                          Masquerading                          		LSA Secrets261
                          Security Software Discovery                          		SSHKeylogging13
                          Application Layer Protocol                          		Scheduled TransferData Encrypted for Impact
                          Domain PropertiesBotnetReplication Through Removable MediaScheduled TaskRC ScriptsRC Scripts12
                          Virtualization/Sandbox Evasion                          		Cached Domain Credentials12
                          Virtualization/Sandbox Evasion                          		VNCGUI Input CaptureMultiband CommunicationData Transfer Size LimitsService Stop
                          DNSWeb ServicesExternal Remote ServicesSystemd TimersStartup ItemsStartup Items11
                          Process Injection                          		DCSync2
                          Process Discovery                          		Windows Remote ManagementWeb Portal CaptureCommonly Used PortExfiltration Over C2 ChannelInhibit System Recovery
                          Network Trust DependenciesServerlessDrive-by CompromiseContainer Orchestration JobScheduled Task/JobScheduled Task/JobIndicator Removal from ToolsProc Filesystem1
                          Application Window Discovery                          		Cloud ServicesCredential API HookingApplication Layer ProtocolExfiltration Over Alternative ProtocolDefacement
                          Network TopologyMalvertisingExploit Public-Facing ApplicationCommand and Scripting InterpreterAtAtHTML Smuggling/etc/passwd and /etc/shadow1
                          System Owner/User Discovery                          		Direct Cloud VM ConnectionsData StagedWeb ProtocolsExfiltration Over Symmetric Encrypted Non-C2 ProtocolInternal Defacement
                          IP AddressesCompromise InfrastructureSupply Chain CompromisePowerShellCronCronDynamic API ResolutionNetwork Sniffing1
                          System Network Configuration Discovery                          		Shared WebrootLocal Data StagingFile Transfer ProtocolsExfiltration Over Asymmetric Encrypted Non-C2 ProtocolExternal Defacement

                          Behavior Graph

                          Hide Legend

                          Legend:

                          • Process
                          • Signature
                          • Created File
                          • DNS/IP Info
                          • Is Dropped
                          • Is Windows Process
                          • Number of created Registry Values
                          • Number of created Files
                          • Visual Basic
                          • Delphi
                          • Java
                          • .Net C# or VB.NET
                          • C, C++ or other language
                          • Is malicious
                          • Internet
                          behaviorgraph top1 dnsIp2 2 Behavior Graph ID: 1427905 Sample: file.exe Startdate: 18/04/2024 Architecture: WINDOWS Score: 100 47 ipinfo.io 2->47 49 db-ip.com 2->49 57 Snort IDS alert for network traffic 2->57 59 Multi AV Scanner detection for domain / URL 2->59 61 Malicious sample detected (through community Yara rule) 2->61 63 7 other signatures 2->63 8 file.exe 1 62 2->8         started        13 MPGPH131.exe 2 2->13         started        15 RageMP131.exe 2->15         started        17 2 other processes 2->17 signatures3 process4 dnsIp5 51 147.45.47.93, 49730, 49739, 49740 FREE-NET-ASFREEnetEU Russian Federation 8->51 53 ipinfo.io 34.117.186.192, 443, 49737, 49741 GOOGLE-AS-APGoogleAsiaPacificPteLtdSG United States 8->53 55 db-ip.com 104.26.4.15, 443, 49738, 49742 CLOUDFLARENETUS United States 8->55 37 C:\Users\user\AppData\Local\...\RageMP131.exe, PE32 8->37 dropped 39 C:\ProgramData\MPGPH131\MPGPH131.exe, PE32 8->39 dropped 41 C:\Users\user\...\e_uwnYJDOrnylP4tGD1vKSo.zip, Zip 8->41 dropped 65 Detected unpacking (changes PE section rights) 8->65 67 Detected unpacking (overwrites its own PE header) 8->67 69 Found evasive API chain (may stop execution after checking mutex) 8->69 83 5 other signatures 8->83 19 schtasks.exe 1 8->19         started        21 schtasks.exe 1 8->21         started        23 WerFault.exe 16 8->23         started        31 10 other processes 8->31 71 Antivirus detection for dropped file 13->71 73 Multi AV Scanner detection for dropped file 13->73 75 Machine Learning detection for dropped file 13->75 43 C:\Users\user\...\dSyaNbAby9QXs4RBu3VN33H.zip, Zip 15->43 dropped 77 Tries to steal Mail credentials (via file / registry access) 15->77 79 Found many strings related to Crypto-Wallets (likely being stolen) 15->79 25 WerFault.exe 15->25         started        27 WerFault.exe 15->27         started        29 WerFault.exe 15->29         started        45 C:\Users\user\...\OfCx6VeglYVpWTwI9NddWAo.zip, Zip 17->45 dropped 81 Tries to harvest and steal browser information (history, passwords, etc) 17->81 file6 signatures7 process8 process9 33 conhost.exe 19->33         started        35 conhost.exe 21->35         started       

                          Screenshots

                          Thumbnails

                          This section contains all screenshots as thumbnails, including those not shown in the slideshow.


                          windows-stand

                          Antivirus, Machine Learning and Genetic Malware Detection

                          Initial Sample

                          SourceDetectionScannerLabelLink
                          file.exe47%ReversingLabs
                          file.exe100%AviraHEUR/AGEN.1310450
                          file.exe100%Joe Sandbox ML

                          Dropped Files

                          SourceDetectionScannerLabelLink
                          C:\ProgramData\MPGPH131\MPGPH131.exe100%AviraHEUR/AGEN.1310450
                          C:\ProgramData\MPGPH131\MPGPH131.exe100%Joe Sandbox ML
                          C:\ProgramData\MPGPH131\MPGPH131.exe47%ReversingLabs
                          C:\ProgramData\MPGPH131\MPGPH131.exe48%VirustotalBrowse
                          C:\Users\user\AppData\Local\RageMP131\RageMP131.exe47%ReversingLabs
                          C:\Users\user\AppData\Local\RageMP131\RageMP131.exe48%VirustotalBrowse

                          Unpacked PE Files

                          No Antivirus matches

                          Domains

                          No Antivirus matches

                          URLs

                          SourceDetectionScannerLabelLink
                          http://193.233.132.167/cost/lenin.exe100%URL Reputationmalware
                          http://147.45.47.102:57893/hera/amadka.exe15%VirustotalBrowse
                          http://193.233.132.167/cost/go.exe25%VirustotalBrowse
                          http://193.233.132.167/cost/go.exee24%VirustotalBrowse
                          http://193.233.132.167/cost/lenin.exe192.168.025%VirustotalBrowse
                          http://193.233.132.167/cost/go.exero24%VirustotalBrowse

                          Domains and IPs

                          Contacted Domains

                          NameIPActiveMaliciousAntivirus DetectionReputation
                          ipinfo.io
                          		34.117.186.192
                          		truefalse
                            		high
                            db-ip.com
                            		104.26.4.15
                            		truefalse
                              		high

                              Contacted URLs

                              NameMaliciousAntivirus DetectionReputation
                              https://ipinfo.io/widget/demo/81.181.57.52false
                                		high
                                https://db-ip.com/demo/home.php?s=81.181.57.52false
                                  		high

                                  URLs from Memory and Binaries

                                  NameSourceMaliciousAntivirus DetectionReputation
                                  https://duckduckgo.com/chrome_newtabfile.exe, 00000000.00000003.2069670213.0000000007A97000.00000004.00000020.00020000.00000000.sdmp, file.exe, 00000000.00000003.2072850690.0000000007AC2000.00000004.00000020.00020000.00000000.sdmp, file.exe, 00000000.00000003.2070675750.0000000007AB6000.00000004.00000020.00020000.00000000.sdmp, RageMP131.exe, 00000011.00000003.2204823122.0000000007AA1000.00000004.00000020.00020000.00000000.sdmp, RageMP131.exe, 00000011.00000003.2205392926.0000000007AD0000.00000004.00000020.00020000.00000000.sdmp, RageMP131.exe, 00000011.00000003.2207595025.0000000007ACE000.00000004.00000020.00020000.00000000.sdmp, RageMP131.exe, 0000001A.00000003.2463165278.0000000007ABB000.00000004.00000020.00020000.00000000.sdmp, RageMP131.exe, 0000001A.00000003.2462740121.0000000007A99000.00000004.00000020.00020000.00000000.sdmp, RageMP131.exe, 0000001A.00000003.2466057502.0000000007AD5000.00000004.00000020.00020000.00000000.sdmp, Tx9lIpMUG2zOWeb Data.26.dr, weyqQCNm9HN2Web Data.0.dr, tcNWocR92MUuWeb Data.17.dr, ToLgTrDbYUcjWeb Data.26.dr, FxAu1a1JDtB8Web Data.0.dr, eBt1v4cLiOqEWeb Data.0.dr, fotzzxFskzb6Web Data.17.dr, 8Mse1jO6nK1IWeb Data.26.dr, 6_PbUyeA3kVjWeb Data.17.drfalse
                                    		high
                                    https://support.mozilla.org/products/firefoxgro.allizom.troppus.zvXrErQ5GYDFD87fZN3R3jFeplaces.sqlite.0.drfalse
                                      		high
                                      https://duckduckgo.com/ac/?q=file.exe, 00000000.00000003.2069670213.0000000007A97000.00000004.00000020.00020000.00000000.sdmp, file.exe, 00000000.00000003.2072850690.0000000007AC2000.00000004.00000020.00020000.00000000.sdmp, file.exe, 00000000.00000003.2070675750.0000000007AB6000.00000004.00000020.00020000.00000000.sdmp, RageMP131.exe, 00000011.00000003.2204823122.0000000007AA1000.00000004.00000020.00020000.00000000.sdmp, RageMP131.exe, 00000011.00000003.2205392926.0000000007AD0000.00000004.00000020.00020000.00000000.sdmp, RageMP131.exe, 00000011.00000003.2207595025.0000000007ACE000.00000004.00000020.00020000.00000000.sdmp, RageMP131.exe, 0000001A.00000003.2463165278.0000000007ABB000.00000004.00000020.00020000.00000000.sdmp, RageMP131.exe, 0000001A.00000003.2462740121.0000000007A99000.00000004.00000020.00020000.00000000.sdmp, RageMP131.exe, 0000001A.00000003.2466057502.0000000007AD5000.00000004.00000020.00020000.00000000.sdmp, Tx9lIpMUG2zOWeb Data.26.dr, weyqQCNm9HN2Web Data.0.dr, tcNWocR92MUuWeb Data.17.dr, ToLgTrDbYUcjWeb Data.26.dr, FxAu1a1JDtB8Web Data.0.dr, eBt1v4cLiOqEWeb Data.0.dr, fotzzxFskzb6Web Data.17.dr, 8Mse1jO6nK1IWeb Data.26.dr, 6_PbUyeA3kVjWeb Data.17.drfalse
                                        		high
                                        https://db-ip.com/demo/home.php?s=81.181.57.52jMPGPH131.exe, 00000008.00000002.2554428927.0000000003128000.00000004.00000020.00020000.00000000.sdmp, RageMP131.exe, 0000001A.00000003.2600250501.0000000002FC6000.00000004.00000020.00020000.00000000.sdmp, RageMP131.exe, 0000001A.00000002.2603079344.0000000002FC6000.00000004.00000020.00020000.00000000.sdmpfalse
                                          		high
                                          http://147.45.47.102:57893/hera/amadka.exeRageMP131.exe, 0000001A.00000002.2603079344.0000000002FC6000.00000004.00000020.00020000.00000000.sdmpfalseunknown
                                          https://ipinfo.io/widget/demo/81.181.57.52$vMPGPH131.exe, 00000009.00000002.2554347578.0000000002E6A000.00000004.00000020.00020000.00000000.sdmpfalse
                                            		high
                                            http://crl.mtOMPGPH131.exe, 00000009.00000002.2554347578.0000000002EAC000.00000004.00000020.00020000.00000000.sdmpfalse
                                              		unknown
                                              https://db-ip.com/MPGPH131.exe, 00000008.00000002.2554428927.0000000003128000.00000004.00000020.00020000.00000000.sdmp, MPGPH131.exe, 00000009.00000002.2554347578.0000000002EAC000.00000004.00000020.00020000.00000000.sdmp, RageMP131.exe, 00000011.00000002.2349974931.0000000003002000.00000004.00000020.00020000.00000000.sdmp, RageMP131.exe, 00000011.00000003.2307237063.0000000003002000.00000004.00000020.00020000.00000000.sdmp, RageMP131.exe, 00000011.00000003.2305959394.0000000003002000.00000004.00000020.00020000.00000000.sdmp, RageMP131.exe, 0000001A.00000003.2600250501.0000000002FC6000.00000004.00000020.00020000.00000000.sdmp, RageMP131.exe, 0000001A.00000002.2603079344.0000000002FC6000.00000004.00000020.00020000.00000000.sdmpfalse
                                                		high
                                                http://193.233.132.167/cost/lenin.exesefile.exe, 00000000.00000002.2258233237.0000000007A40000.00000004.00000020.00020000.00000000.sdmpfalse
                                                  		unknown
                                                  https://ch.search.yahoo.com/sugg/chrome?output=fxjson&appid=crmas&command=file.exe, 00000000.00000003.2069670213.0000000007A97000.00000004.00000020.00020000.00000000.sdmp, file.exe, 00000000.00000003.2072850690.0000000007AC2000.00000004.00000020.00020000.00000000.sdmp, file.exe, 00000000.00000003.2070675750.0000000007AB6000.00000004.00000020.00020000.00000000.sdmp, RageMP131.exe, 00000011.00000003.2204823122.0000000007AA1000.00000004.00000020.00020000.00000000.sdmp, RageMP131.exe, 00000011.00000003.2205392926.0000000007AD0000.00000004.00000020.00020000.00000000.sdmp, RageMP131.exe, 00000011.00000003.2207595025.0000000007ACE000.00000004.00000020.00020000.00000000.sdmp, RageMP131.exe, 0000001A.00000003.2463165278.0000000007ABB000.00000004.00000020.00020000.00000000.sdmp, RageMP131.exe, 0000001A.00000003.2462740121.0000000007A99000.00000004.00000020.00020000.00000000.sdmp, RageMP131.exe, 0000001A.00000003.2466057502.0000000007AD5000.00000004.00000020.00020000.00000000.sdmp, Tx9lIpMUG2zOWeb Data.26.dr, weyqQCNm9HN2Web Data.0.dr, tcNWocR92MUuWeb Data.17.dr, ToLgTrDbYUcjWeb Data.26.dr, FxAu1a1JDtB8Web Data.0.dr, eBt1v4cLiOqEWeb Data.0.dr, fotzzxFskzb6Web Data.17.dr, 8Mse1jO6nK1IWeb Data.26.dr, 6_PbUyeA3kVjWeb Data.17.drfalse
                                                    		high
                                                    https://t.me/risepro_botWfile.exe, 00000000.00000003.2072010146.00000000030B6000.00000004.00000020.00020000.00000000.sdmp, file.exe, 00000000.00000002.2256177341.00000000030B6000.00000004.00000020.00020000.00000000.sdmp, file.exe, 00000000.00000003.2068786897.00000000030B6000.00000004.00000020.00020000.00000000.sdmp, file.exe, 00000000.00000003.2023096366.00000000030B6000.00000004.00000020.00020000.00000000.sdmpfalse
                                                      		high
                                                      https://support.office.com/article/94ba2e0b-638e-4a92-8857-2cb5ac1d8e17RageMP131.exe, 00000011.00000003.2207015077.0000000007ABD000.00000004.00000020.00020000.00000000.sdmp, RageMP131.exe, 0000001A.00000003.2465348973.0000000007AB3000.00000004.00000020.00020000.00000000.sdmp, LZlzsFoefEVpHistory.17.dr, d4QTaPGdbj7gHistory.17.dr, MBSHfyCuKHxNHistory.26.dr, IcPAi7xok6iaHistory.0.dr, QkoBCD2tTFlpHistory.0.dr, GUahzsMvIC8wHistory.26.drfalse
                                                        		high
                                                        http://147.45.47.102:57893/hera/amadka.exeDataeRageMP131.exe, 00000011.00000002.2353080317.0000000007A88000.00000004.00000020.00020000.00000000.sdmp, RageMP131.exe, 00000011.00000003.2343251890.0000000007A88000.00000004.00000020.00020000.00000000.sdmpfalse
                                                          		unknown
                                                          http://147.45.47.102:57893/hera/amadka.exe.52RageMP131.exe, 00000011.00000002.2349974931.0000000003002000.00000004.00000020.00020000.00000000.sdmp, RageMP131.exe, 00000011.00000003.2307237063.0000000003002000.00000004.00000020.00020000.00000000.sdmp, RageMP131.exe, 00000011.00000003.2305959394.0000000003002000.00000004.00000020.00020000.00000000.sdmpfalse
                                                            		unknown
                                                            https://db-ip.com:443/demo/home.php?s=81.181.57.52D)MPGPH131.exe, 00000008.00000002.2554428927.00000000030E9000.00000004.00000020.00020000.00000000.sdmpfalse
                                                              		high
                                                              https://ipinfo.io/widget/demo/81.181.57.52H)MPGPH131.exe, 00000008.00000002.2554428927.00000000030E9000.00000004.00000020.00020000.00000000.sdmpfalse
                                                                		high
                                                                http://193.233.132.167/cost/go.exefile.exe, 00000000.00000003.2072010146.00000000030B6000.00000004.00000020.00020000.00000000.sdmp, file.exe, 00000000.00000002.2256177341.00000000030B6000.00000004.00000020.00020000.00000000.sdmp, file.exe, 00000000.00000003.2068786897.00000000030B6000.00000004.00000020.00020000.00000000.sdmp, file.exe, 00000000.00000003.2023096366.00000000030B6000.00000004.00000020.00020000.00000000.sdmp, file.exe, 00000000.00000002.2258233237.0000000007A40000.00000004.00000020.00020000.00000000.sdmp, RageMP131.exe, 00000011.00000002.2349974931.0000000003002000.00000004.00000020.00020000.00000000.sdmp, RageMP131.exe, 00000011.00000003.2307237063.0000000003002000.00000004.00000020.00020000.00000000.sdmp, RageMP131.exe, 00000011.00000003.2305959394.0000000003002000.00000004.00000020.00020000.00000000.sdmp, RageMP131.exe, 0000001A.00000003.2600149129.0000000007A92000.00000004.00000020.00020000.00000000.sdmp, RageMP131.exe, 0000001A.00000002.2604583006.0000000007A92000.00000004.00000020.00020000.00000000.sdmp, RageMP131.exe, 0000001A.00000003.2600250501.0000000002FC6000.00000004.00000020.00020000.00000000.sdmp, RageMP131.exe, 0000001A.00000002.2603079344.0000000002FC6000.00000004.00000020.00020000.00000000.sdmpfalseunknown
                                                                http://147.45.47.102:57893/hera/amadka.exedatDRageMP131.exe, 0000001A.00000003.2600149129.0000000007A92000.00000004.00000020.00020000.00000000.sdmp, RageMP131.exe, 0000001A.00000002.2604583006.0000000007A92000.00000004.00000020.00020000.00000000.sdmpfalse
                                                                  		unknown
                                                                  https://db-ip.com/demo/home.php?s=81.181.57.52gQRageMP131.exe, 00000011.00000002.2348884384.0000000002FDC000.00000004.00000020.00020000.00000000.sdmpfalse
                                                                    		high
                                                                    https://db-ip.com/?MPGPH131.exe, 00000008.00000002.2554428927.0000000003128000.00000004.00000020.00020000.00000000.sdmpfalse
                                                                      		high
                                                                      https://ipinfo.io/~RageMP131.exe, 0000001A.00000002.2603079344.0000000002FA2000.00000004.00000020.00020000.00000000.sdmpfalse
                                                                        		high
                                                                        https://t.me/RiseProSUPPORTRRageMP131.exe, 00000011.00000002.2352946266.0000000007A40000.00000004.00000020.00020000.00000000.sdmpfalse
                                                                          		high
                                                                          https://ipinfo.io:443/widget/demo/81.181.57.52file.exe, 00000000.00000002.2256177341.00000000030A7000.00000004.00000020.00020000.00000000.sdmp, MPGPH131.exe, 00000008.00000002.2554428927.00000000030E9000.00000004.00000020.00020000.00000000.sdmp, MPGPH131.exe, 00000009.00000002.2554347578.0000000002E6A000.00000004.00000020.00020000.00000000.sdmp, RageMP131.exe, 00000011.00000003.2306068480.0000000002FF6000.00000004.00000020.00020000.00000000.sdmp, RageMP131.exe, 00000011.00000003.2307548661.0000000002FF6000.00000004.00000020.00020000.00000000.sdmp, RageMP131.exe, 00000011.00000002.2349881372.0000000002FF6000.00000004.00000020.00020000.00000000.sdmp, RageMP131.exe, 00000011.00000003.2312025857.0000000002FF6000.00000004.00000020.00020000.00000000.sdmp, RageMP131.exe, 00000011.00000003.2308251432.0000000002FF6000.00000004.00000020.00020000.00000000.sdmp, RageMP131.exe, 0000001A.00000002.2603079344.0000000002FBB000.00000004.00000020.00020000.00000000.sdmp, RageMP131.exe, 0000001A.00000003.2600250501.0000000002FBB000.00000004.00000020.00020000.00000000.sdmpfalse
                                                                            		high
                                                                            https://support.office.com/article/94ba2e0b-638e-4a92-8857-2cb5ac1d8e17InstallLZlzsFoefEVpHistory.17.dr, d4QTaPGdbj7gHistory.17.dr, MBSHfyCuKHxNHistory.26.dr, IcPAi7xok6iaHistory.0.dr, QkoBCD2tTFlpHistory.0.dr, GUahzsMvIC8wHistory.26.drfalse
                                                                              		high
                                                                              https://ch.search.yahoo.com/favicon.icohttps://ch.search.yahoo.com/searchfile.exe, 00000000.00000003.2069670213.0000000007A97000.00000004.00000020.00020000.00000000.sdmp, file.exe, 00000000.00000003.2072850690.0000000007AC2000.00000004.00000020.00020000.00000000.sdmp, file.exe, 00000000.00000003.2070675750.0000000007AB6000.00000004.00000020.00020000.00000000.sdmp, RageMP131.exe, 00000011.00000003.2204823122.0000000007AA1000.00000004.00000020.00020000.00000000.sdmp, RageMP131.exe, 00000011.00000003.2205392926.0000000007AD0000.00000004.00000020.00020000.00000000.sdmp, RageMP131.exe, 00000011.00000003.2207595025.0000000007ACE000.00000004.00000020.00020000.00000000.sdmp, RageMP131.exe, 0000001A.00000003.2463165278.0000000007ABB000.00000004.00000020.00020000.00000000.sdmp, RageMP131.exe, 0000001A.00000003.2462740121.0000000007A99000.00000004.00000020.00020000.00000000.sdmp, RageMP131.exe, 0000001A.00000003.2466057502.0000000007AD5000.00000004.00000020.00020000.00000000.sdmp, Tx9lIpMUG2zOWeb Data.26.dr, weyqQCNm9HN2Web Data.0.dr, tcNWocR92MUuWeb Data.17.dr, ToLgTrDbYUcjWeb Data.26.dr, FxAu1a1JDtB8Web Data.0.dr, eBt1v4cLiOqEWeb Data.0.dr, fotzzxFskzb6Web Data.17.dr, 8Mse1jO6nK1IWeb Data.26.dr, 6_PbUyeA3kVjWeb Data.17.drfalse
                                                                                		high
                                                                                https://ipinfo.io/tfile.exe, 00000000.00000002.2256177341.000000000307B000.00000004.00000020.00020000.00000000.sdmp, MPGPH131.exe, 00000008.00000002.2554428927.00000000030A0000.00000004.00000020.00020000.00000000.sdmpfalse
                                                                                  		high
                                                                                  https://t.me/risepro_botisepro_botRageMP131.exe, 0000001A.00000003.2600250501.0000000002FC6000.00000004.00000020.00020000.00000000.sdmp, RageMP131.exe, 0000001A.00000002.2603079344.0000000002FC6000.00000004.00000020.00020000.00000000.sdmpfalse
                                                                                    		high
                                                                                    http://193.233.132.167/cost/go.exeeRageMP131.exe, 00000011.00000002.2349974931.0000000003002000.00000004.00000020.00020000.00000000.sdmp, RageMP131.exe, 00000011.00000003.2307237063.0000000003002000.00000004.00000020.00020000.00000000.sdmp, RageMP131.exe, 00000011.00000003.2305959394.0000000003002000.00000004.00000020.00020000.00000000.sdmpfalseunknown
                                                                                    http://193.233.132.167/cost/lenin.exepro_botFRageMP131.exe, 00000011.00000002.2349974931.0000000003002000.00000004.00000020.00020000.00000000.sdmp, RageMP131.exe, 00000011.00000003.2307237063.0000000003002000.00000004.00000020.00020000.00000000.sdmp, RageMP131.exe, 00000011.00000003.2305959394.0000000003002000.00000004.00000020.00020000.00000000.sdmpfalse
                                                                                      		unknown
                                                                                      http://193.233.132.167/cost/lenin.exefile.exe, 00000000.00000003.2023096366.00000000030B6000.00000004.00000020.00020000.00000000.sdmp, file.exe, 00000000.00000002.2258233237.0000000007A40000.00000004.00000020.00020000.00000000.sdmp, RageMP131.exe, 00000011.00000002.2349974931.0000000003002000.00000004.00000020.00020000.00000000.sdmp, RageMP131.exe, 00000011.00000002.2353080317.0000000007A88000.00000004.00000020.00020000.00000000.sdmp, RageMP131.exe, 00000011.00000003.2343251890.0000000007A88000.00000004.00000020.00020000.00000000.sdmp, RageMP131.exe, 00000011.00000003.2307237063.0000000003002000.00000004.00000020.00020000.00000000.sdmp, RageMP131.exe, 00000011.00000003.2305959394.0000000003002000.00000004.00000020.00020000.00000000.sdmp, RageMP131.exe, 0000001A.00000003.2600149129.0000000007A92000.00000004.00000020.00020000.00000000.sdmp, RageMP131.exe, 0000001A.00000002.2604583006.0000000007A92000.00000004.00000020.00020000.00000000.sdmp, RageMP131.exe, 0000001A.00000003.2600250501.0000000002FC6000.00000004.00000020.00020000.00000000.sdmp, RageMP131.exe, 0000001A.00000002.2603079344.0000000002FC6000.00000004.00000020.00020000.00000000.sdmptrue
                                                                                      • URL Reputation: malware
                                                                                      		unknown
                                                                                      https://ipinfo.io/nMPGPH131.exe, 00000009.00000002.2554347578.0000000002E30000.00000004.00000020.00020000.00000000.sdmpfalse
                                                                                        		high
                                                                                        https://t.me/risepro_botriseproMPGPH131.exe, 00000008.00000002.2554428927.0000000003128000.00000004.00000020.00020000.00000000.sdmpfalse
                                                                                          		high
                                                                                          https://db-ip.com:443/demo/home.php?s=81.181.57.52rfile.exe, 00000000.00000003.2072010146.00000000030B6000.00000004.00000020.00020000.00000000.sdmp, file.exe, 00000000.00000002.2256177341.00000000030B6000.00000004.00000020.00020000.00000000.sdmp, file.exe, 00000000.00000003.2068786897.00000000030B6000.00000004.00000020.00020000.00000000.sdmp, file.exe, 00000000.00000003.2023096366.00000000030B6000.00000004.00000020.00020000.00000000.sdmpfalse
                                                                                            		high
                                                                                            https://t.me/risepro_bot.file.exe, 00000000.00000003.2072010146.00000000030B6000.00000004.00000020.00020000.00000000.sdmp, file.exe, 00000000.00000002.2256177341.00000000030B6000.00000004.00000020.00020000.00000000.sdmp, file.exe, 00000000.00000003.2068786897.00000000030B6000.00000004.00000020.00020000.00000000.sdmp, file.exe, 00000000.00000003.2023096366.00000000030B6000.00000004.00000020.00020000.00000000.sdmpfalse
                                                                                              		high
                                                                                              https://db-ip.com/demo/home.php?s=81.181.57.525wMPGPH131.exe, 00000009.00000002.2554347578.0000000002EAC000.00000004.00000020.00020000.00000000.sdmpfalse
                                                                                                		high
                                                                                                https://db-ip.com:443/demo/home.php?s=81.181.57.52MPGPH131.exe, 00000009.00000002.2554347578.0000000002EAC000.00000004.00000020.00020000.00000000.sdmp, RageMP131.exe, 00000011.00000002.2349974931.0000000003002000.00000004.00000020.00020000.00000000.sdmp, RageMP131.exe, 00000011.00000003.2307237063.0000000003002000.00000004.00000020.00020000.00000000.sdmp, RageMP131.exe, 00000011.00000003.2305959394.0000000003002000.00000004.00000020.00020000.00000000.sdmp, RageMP131.exe, 0000001A.00000003.2600250501.0000000002FC6000.00000004.00000020.00020000.00000000.sdmp, RageMP131.exe, 0000001A.00000002.2603079344.0000000002FC6000.00000004.00000020.00020000.00000000.sdmpfalse
                                                                                                  		high
                                                                                                  http://193.233.132.167/cost/go.exeoinxsfile.exe, 00000000.00000002.2258233237.0000000007A40000.00000004.00000020.00020000.00000000.sdmpfalse
                                                                                                    		unknown
                                                                                                    https://ipinfo.io/widget/demo/81.181.57.52.tmpWMPGPH131.exe, 00000008.00000002.2554428927.00000000030AA000.00000004.00000020.00020000.00000000.sdmpfalse
                                                                                                      		high
                                                                                                      https://www.google.com/images/branding/product/ico/googleg_lodp.icofile.exe, 00000000.00000003.2069670213.0000000007A97000.00000004.00000020.00020000.00000000.sdmp, file.exe, 00000000.00000003.2072850690.0000000007AC2000.00000004.00000020.00020000.00000000.sdmp, file.exe, 00000000.00000003.2070675750.0000000007AB6000.00000004.00000020.00020000.00000000.sdmp, RageMP131.exe, 00000011.00000003.2204823122.0000000007AA1000.00000004.00000020.00020000.00000000.sdmp, RageMP131.exe, 00000011.00000003.2205392926.0000000007AD0000.00000004.00000020.00020000.00000000.sdmp, RageMP131.exe, 00000011.00000003.2207595025.0000000007ACE000.00000004.00000020.00020000.00000000.sdmp, RageMP131.exe, 0000001A.00000003.2463165278.0000000007ABB000.00000004.00000020.00020000.00000000.sdmp, RageMP131.exe, 0000001A.00000003.2462740121.0000000007A99000.00000004.00000020.00020000.00000000.sdmp, RageMP131.exe, 0000001A.00000003.2466057502.0000000007AD5000.00000004.00000020.00020000.00000000.sdmp, Tx9lIpMUG2zOWeb Data.26.dr, weyqQCNm9HN2Web Data.0.dr, tcNWocR92MUuWeb Data.17.dr, ToLgTrDbYUcjWeb Data.26.dr, FxAu1a1JDtB8Web Data.0.dr, eBt1v4cLiOqEWeb Data.0.dr, fotzzxFskzb6Web Data.17.dr, 8Mse1jO6nK1IWeb Data.26.dr, 6_PbUyeA3kVjWeb Data.17.drfalse
                                                                                                        		high
                                                                                                        https://t.me/RiseProSUPPORTS)MPGPH131.exe, 00000008.00000002.2554428927.000000000306E000.00000004.00000020.00020000.00000000.sdmpfalse
                                                                                                          		high
                                                                                                          http://193.233.132.167/cost/lenin.exe192.168.0RageMP131.exe, 0000001A.00000003.2600250501.0000000002FC6000.00000004.00000020.00020000.00000000.sdmp, RageMP131.exe, 0000001A.00000002.2603079344.0000000002FC6000.00000004.00000020.00020000.00000000.sdmpfalseunknown
                                                                                                          https://ipinfo.io/https://www.maxmind.com/en/locate-my-ip-addressWs2_32.dllfile.exe, 00000000.00000003.1698876622.0000000004C20000.00000004.00001000.00020000.00000000.sdmp, file.exe, 00000000.00000002.2254819923.0000000000400000.00000040.00000001.01000000.00000003.sdmp, file.exe, 00000000.00000002.2257395722.0000000004AC0000.00000040.00001000.00020000.00000000.sdmp, MPGPH131.exe, 00000008.00000002.2555613641.0000000004900000.00000040.00001000.00020000.00000000.sdmp, MPGPH131.exe, 00000008.00000003.2345569703.0000000004A60000.00000004.00001000.00020000.00000000.sdmp, MPGPH131.exe, 00000008.00000002.2552258510.0000000000400000.00000040.00000001.01000000.00000005.sdmp, MPGPH131.exe, 00000009.00000003.2355371299.0000000004A10000.00000004.00001000.00020000.00000000.sdmp, MPGPH131.exe, 00000009.00000002.2552333219.0000000000400000.00000040.00000001.01000000.00000005.sdmp, MPGPH131.exe, 00000009.00000002.2555618433.00000000048B0000.00000040.00001000.00020000.00000000.sdmp, RageMP131.exe, 00000011.00000002.2351210254.0000000004AD0000.00000040.00001000.00020000.00000000.sdmp, RageMP131.exe, 00000011.00000003.1935064684.0000000004C30000.00000004.00001000.00020000.00000000.sdmp, RageMP131.exe, 00000011.00000002.2345301493.0000000000400000.00000040.00000001.01000000.00000007.sdmp, RageMP131.exe, 0000001A.00000002.2601441093.0000000000400000.00000040.00000001.01000000.00000007.sdmp, RageMP131.exe, 0000001A.00000003.2050121383.0000000004C40000.00000004.00001000.00020000.00000000.sdmp, RageMP131.exe, 0000001A.00000002.2603802110.0000000004AE0000.00000040.00001000.00020000.00000000.sdmpfalse
                                                                                                            		high
                                                                                                            https://duckduckgo.com/favicon.icohttps://duckduckgo.com/?q=file.exe, 00000000.00000003.2069670213.0000000007A97000.00000004.00000020.00020000.00000000.sdmp, file.exe, 00000000.00000003.2072850690.0000000007AC2000.00000004.00000020.00020000.00000000.sdmp, file.exe, 00000000.00000003.2070675750.0000000007AB6000.00000004.00000020.00020000.00000000.sdmp, RageMP131.exe, 00000011.00000003.2204823122.0000000007AA1000.00000004.00000020.00020000.00000000.sdmp, RageMP131.exe, 00000011.00000003.2205392926.0000000007AD0000.00000004.00000020.00020000.00000000.sdmp, RageMP131.exe, 00000011.00000003.2207595025.0000000007ACE000.00000004.00000020.00020000.00000000.sdmp, RageMP131.exe, 0000001A.00000003.2463165278.0000000007ABB000.00000004.00000020.00020000.00000000.sdmp, RageMP131.exe, 0000001A.00000003.2462740121.0000000007A99000.00000004.00000020.00020000.00000000.sdmp, RageMP131.exe, 0000001A.00000003.2466057502.0000000007AD5000.00000004.00000020.00020000.00000000.sdmp, Tx9lIpMUG2zOWeb Data.26.dr, weyqQCNm9HN2Web Data.0.dr, tcNWocR92MUuWeb Data.17.dr, ToLgTrDbYUcjWeb Data.26.dr, FxAu1a1JDtB8Web Data.0.dr, eBt1v4cLiOqEWeb Data.0.dr, fotzzxFskzb6Web Data.17.dr, 8Mse1jO6nK1IWeb Data.26.dr, 6_PbUyeA3kVjWeb Data.17.drfalse
                                                                                                              		high
                                                                                                              http://upx.sf.netAmcache.hve.7.drfalse
                                                                                                                		high
                                                                                                                https://t.me/RiseProSUPPORTRageMP131.exe, 0000001A.00000002.2604404588.0000000007A40000.00000004.00000020.00020000.00000000.sdmp, dSyaNbAby9QXs4RBu3VN33H.zip.17.dr, e_uwnYJDOrnylP4tGD1vKSo.zip.0.dr, OfCx6VeglYVpWTwI9NddWAo.zip.26.drfalse
                                                                                                                  		high
                                                                                                                  https://support.office.com/article/7D48285B-20E8-4B9B-91AD-216E34163BAD?wt.mc_id=EnterPK2016RageMP131.exe, 00000011.00000003.2207015077.0000000007ABD000.00000004.00000020.00020000.00000000.sdmp, RageMP131.exe, 0000001A.00000003.2465348973.0000000007AB3000.00000004.00000020.00020000.00000000.sdmp, LZlzsFoefEVpHistory.17.dr, d4QTaPGdbj7gHistory.17.dr, MBSHfyCuKHxNHistory.26.dr, IcPAi7xok6iaHistory.0.dr, QkoBCD2tTFlpHistory.0.dr, GUahzsMvIC8wHistory.26.drfalse
                                                                                                                    		high
                                                                                                                    https://t.me/RiseProSUPPORT$RageMP131.exe, 00000011.00000003.2307637364.0000000007A99000.00000004.00000020.00020000.00000000.sdmpfalse
                                                                                                                      		high
                                                                                                                      https://t.GMPGPH131.exe, 00000009.00000002.2554347578.0000000002E6A000.00000004.00000020.00020000.00000000.sdmpfalse
                                                                                                                        		unknown
                                                                                                                        https://www.ecosia.org/newtab/file.exe, 00000000.00000003.2069670213.0000000007A97000.00000004.00000020.00020000.00000000.sdmp, file.exe, 00000000.00000003.2072850690.0000000007AC2000.00000004.00000020.00020000.00000000.sdmp, file.exe, 00000000.00000003.2070675750.0000000007AB6000.00000004.00000020.00020000.00000000.sdmp, RageMP131.exe, 00000011.00000003.2204823122.0000000007AA1000.00000004.00000020.00020000.00000000.sdmp, RageMP131.exe, 00000011.00000003.2205392926.0000000007AD0000.00000004.00000020.00020000.00000000.sdmp, RageMP131.exe, 00000011.00000003.2207595025.0000000007ACE000.00000004.00000020.00020000.00000000.sdmp, RageMP131.exe, 0000001A.00000003.2463165278.0000000007ABB000.00000004.00000020.00020000.00000000.sdmp, RageMP131.exe, 0000001A.00000003.2462740121.0000000007A99000.00000004.00000020.00020000.00000000.sdmp, RageMP131.exe, 0000001A.00000003.2466057502.0000000007AD5000.00000004.00000020.00020000.00000000.sdmp, Tx9lIpMUG2zOWeb Data.26.dr, weyqQCNm9HN2Web Data.0.dr, tcNWocR92MUuWeb Data.17.dr, ToLgTrDbYUcjWeb Data.26.dr, FxAu1a1JDtB8Web Data.0.dr, eBt1v4cLiOqEWeb Data.0.dr, fotzzxFskzb6Web Data.17.dr, 8Mse1jO6nK1IWeb Data.26.dr, 6_PbUyeA3kVjWeb Data.17.drfalse
                                                                                                                          		high
                                                                                                                          https://ipinfo.io/Mozilla/5.0file.exe, 00000000.00000002.2256177341.00000000030A7000.00000004.00000020.00020000.00000000.sdmp, file.exe, 00000000.00000003.2072010146.00000000030B1000.00000004.00000020.00020000.00000000.sdmp, file.exe, 00000000.00000003.2068786897.00000000030B2000.00000004.00000020.00020000.00000000.sdmp, file.exe, 00000000.00000003.2023096366.00000000030B1000.00000004.00000020.00020000.00000000.sdmp, MPGPH131.exe, 00000008.00000002.2554428927.00000000030E9000.00000004.00000020.00020000.00000000.sdmp, MPGPH131.exe, 00000009.00000002.2554347578.0000000002E6A000.00000004.00000020.00020000.00000000.sdmp, RageMP131.exe, 00000011.00000002.2349974931.0000000002FFE000.00000004.00000020.00020000.00000000.sdmp, RageMP131.exe, 00000011.00000003.2307237063.0000000002FFD000.00000004.00000020.00020000.00000000.sdmp, RageMP131.exe, 00000011.00000003.2305959394.0000000002FFD000.00000004.00000020.00020000.00000000.sdmp, RageMP131.exe, 0000001A.00000002.2603079344.0000000002FBB000.00000004.00000020.00020000.00000000.sdmp, RageMP131.exe, 0000001A.00000003.2600250501.0000000002FBB000.00000004.00000020.00020000.00000000.sdmpfalse
                                                                                                                            		high
                                                                                                                            https://support.mozilla.org/kb/customize-firefox-controls-buttons-and-toolbars?utm_source=firefox-brD87fZN3R3jFeplaces.sqlite.0.drfalse
                                                                                                                              		high
                                                                                                                              https://t.me/risepro_bot1.181.57.52MPGPH131.exe, 00000009.00000002.2554347578.0000000002EAC000.00000004.00000020.00020000.00000000.sdmpfalse
                                                                                                                                		high
                                                                                                                                https://ac.ecosia.org/autocomplete?q=file.exe, 00000000.00000003.2069670213.0000000007A97000.00000004.00000020.00020000.00000000.sdmp, file.exe, 00000000.00000003.2072850690.0000000007AC2000.00000004.00000020.00020000.00000000.sdmp, file.exe, 00000000.00000003.2070675750.0000000007AB6000.00000004.00000020.00020000.00000000.sdmp, RageMP131.exe, 00000011.00000003.2204823122.0000000007AA1000.00000004.00000020.00020000.00000000.sdmp, RageMP131.exe, 00000011.00000003.2205392926.0000000007AD0000.00000004.00000020.00020000.00000000.sdmp, RageMP131.exe, 00000011.00000003.2207595025.0000000007ACE000.00000004.00000020.00020000.00000000.sdmp, RageMP131.exe, 0000001A.00000003.2463165278.0000000007ABB000.00000004.00000020.00020000.00000000.sdmp, RageMP131.exe, 0000001A.00000003.2462740121.0000000007A99000.00000004.00000020.00020000.00000000.sdmp, RageMP131.exe, 0000001A.00000003.2466057502.0000000007AD5000.00000004.00000020.00020000.00000000.sdmp, Tx9lIpMUG2zOWeb Data.26.dr, weyqQCNm9HN2Web Data.0.dr, tcNWocR92MUuWeb Data.17.dr, ToLgTrDbYUcjWeb Data.26.dr, FxAu1a1JDtB8Web Data.0.dr, eBt1v4cLiOqEWeb Data.0.dr, fotzzxFskzb6Web Data.17.dr, 8Mse1jO6nK1IWeb Data.26.dr, 6_PbUyeA3kVjWeb Data.17.drfalse
                                                                                                                                  		high
                                                                                                                                  https://t.me/risepro_botRageMP131.exe, 0000001A.00000002.2603079344.0000000002FC6000.00000004.00000020.00020000.00000000.sdmp, RageMP131.exe, 0000001A.00000003.2568774506.0000000007AFA000.00000004.00000020.00020000.00000000.sdmp, RageMP131.exe, 0000001A.00000002.2604404588.0000000007A40000.00000004.00000020.00020000.00000000.sdmp, passwords.txt.0.dr, passwords.txt.26.dr, passwords.txt.17.drfalse
                                                                                                                                    		high
                                                                                                                                    http://193.233.132.167/cost/lenin.exe~RageMP131.exe, 0000001A.00000003.2600149129.0000000007A92000.00000004.00000020.00020000.00000000.sdmp, RageMP131.exe, 0000001A.00000002.2604583006.0000000007A92000.00000004.00000020.00020000.00000000.sdmpfalse
                                                                                                                                      		unknown
                                                                                                                                      http://193.233.132.167/cost/go.exeroRageMP131.exe, 0000001A.00000003.2600149129.0000000007A92000.00000004.00000020.00020000.00000000.sdmp, RageMP131.exe, 0000001A.00000002.2604583006.0000000007A92000.00000004.00000020.00020000.00000000.sdmpfalseunknown
                                                                                                                                      https://t.me/risepro_botlaterfile.exe, 00000000.00000003.2072010146.00000000030B6000.00000004.00000020.00020000.00000000.sdmp, file.exe, 00000000.00000002.2256177341.00000000030B6000.00000004.00000020.00020000.00000000.sdmp, file.exe, 00000000.00000003.2068786897.00000000030B6000.00000004.00000020.00020000.00000000.sdmp, file.exe, 00000000.00000003.2023096366.00000000030B6000.00000004.00000020.00020000.00000000.sdmpfalse
                                                                                                                                        		high
                                                                                                                                        https://ipinfo.io/file.exe, file.exe, 00000000.00000002.2256177341.000000000305D000.00000004.00000020.00020000.00000000.sdmp, file.exe, 00000000.00000003.2072010146.00000000030B6000.00000004.00000020.00020000.00000000.sdmp, file.exe, 00000000.00000002.2256177341.00000000030B6000.00000004.00000020.00020000.00000000.sdmp, file.exe, 00000000.00000003.2068786897.00000000030B6000.00000004.00000020.00020000.00000000.sdmp, file.exe, 00000000.00000002.2256177341.00000000030A7000.00000004.00000020.00020000.00000000.sdmp, file.exe, 00000000.00000003.2072010146.00000000030B1000.00000004.00000020.00020000.00000000.sdmp, file.exe, 00000000.00000003.2023096366.00000000030B6000.00000004.00000020.00020000.00000000.sdmp, file.exe, 00000000.00000002.2256177341.000000000307B000.00000004.00000020.00020000.00000000.sdmp, file.exe, 00000000.00000003.2068786897.00000000030B2000.00000004.00000020.00020000.00000000.sdmp, file.exe, 00000000.00000003.2023096366.00000000030B1000.00000004.00000020.00020000.00000000.sdmp, MPGPH131.exe, MPGPH131.exe, 00000008.00000002.2554428927.00000000030E9000.00000004.00000020.00020000.00000000.sdmp, MPGPH131.exe, 00000008.00000002.2554428927.00000000030CF000.00000004.00000020.00020000.00000000.sdmp, MPGPH131.exe, 00000008.00000002.2554428927.00000000030A0000.00000004.00000020.00020000.00000000.sdmp, MPGPH131.exe, 00000008.00000002.2554428927.0000000003128000.00000004.00000020.00020000.00000000.sdmp, MPGPH131.exe, 00000009.00000002.2554347578.0000000002E5E000.00000004.00000020.00020000.00000000.sdmp, MPGPH131.exe, 00000009.00000002.2554347578.0000000002E6A000.00000004.00000020.00020000.00000000.sdmp, MPGPH131.exe, 00000009.00000002.2554347578.0000000002E30000.00000004.00000020.00020000.00000000.sdmp, MPGPH131.exe, 00000009.00000002.2554347578.0000000002EAC000.00000004.00000020.00020000.00000000.sdmp, RageMP131.exe, 00000011.00000002.2348884384.0000000002FCC000.00000004.00000020.00020000.00000000.sdmpfalse
                                                                                                                                          		high
                                                                                                                                          https://www.maxmind.com/en/locate-my-ip-addressfile.exe, MPGPH131.exefalse
                                                                                                                                            		high
                                                                                                                                            http://www.winimage.com/zLibDllfile.exe, file.exe, 00000000.00000003.1698876622.0000000004C20000.00000004.00001000.00020000.00000000.sdmp, file.exe, 00000000.00000002.2254819923.0000000000400000.00000040.00000001.01000000.00000003.sdmp, file.exe, 00000000.00000002.2257395722.0000000004AC0000.00000040.00001000.00020000.00000000.sdmp, MPGPH131.exe, MPGPH131.exe, 00000008.00000002.2555613641.0000000004900000.00000040.00001000.00020000.00000000.sdmp, MPGPH131.exe, 00000008.00000003.2345569703.0000000004A60000.00000004.00001000.00020000.00000000.sdmp, MPGPH131.exe, 00000008.00000002.2552258510.0000000000400000.00000040.00000001.01000000.00000005.sdmp, MPGPH131.exe, 00000009.00000003.2355371299.0000000004A10000.00000004.00001000.00020000.00000000.sdmp, MPGPH131.exe, 00000009.00000002.2552333219.0000000000400000.00000040.00000001.01000000.00000005.sdmp, MPGPH131.exe, 00000009.00000002.2555618433.00000000048B0000.00000040.00001000.00020000.00000000.sdmp, RageMP131.exe, 00000011.00000002.2351210254.0000000004AD0000.00000040.00001000.00020000.00000000.sdmp, RageMP131.exe, 00000011.00000003.1935064684.0000000004C30000.00000004.00001000.00020000.00000000.sdmp, RageMP131.exe, 00000011.00000002.2345301493.0000000000400000.00000040.00000001.01000000.00000007.sdmp, RageMP131.exe, 0000001A.00000002.2601441093.0000000000400000.00000040.00000001.01000000.00000007.sdmp, RageMP131.exe, 0000001A.00000003.2050121383.0000000004C40000.00000004.00001000.00020000.00000000.sdmp, RageMP131.exe, 0000001A.00000002.2603802110.0000000004AE0000.00000040.00001000.00020000.00000000.sdmpfalse
                                                                                                                                              		high
                                                                                                                                              https://support.mozilla.orgD87fZN3R3jFeplaces.sqlite.0.drfalse
                                                                                                                                                		high
                                                                                                                                                https://support.office.com/article/7D48285B-20E8-4B9B-91AD-216E34163BAD?wt.mc_id=EnterPK2016ExamplesLZlzsFoefEVpHistory.17.dr, d4QTaPGdbj7gHistory.17.dr, MBSHfyCuKHxNHistory.26.dr, IcPAi7xok6iaHistory.0.dr, QkoBCD2tTFlpHistory.0.dr, GUahzsMvIC8wHistory.26.drfalse
                                                                                                                                                  		high
                                                                                                                                                  http://147.45.47.102:57893/hera/amadka.exe_proffile.exe, 00000000.00000002.2258233237.0000000007A40000.00000004.00000020.00020000.00000000.sdmpfalse
                                                                                                                                                    		unknown
                                                                                                                                                    https://cdn.ecosia.org/assets/images/ico/favicon.icohttps://www.ecosia.org/search?q=file.exe, 00000000.00000003.2069670213.0000000007A97000.00000004.00000020.00020000.00000000.sdmp, file.exe, 00000000.00000003.2072850690.0000000007AC2000.00000004.00000020.00020000.00000000.sdmp, file.exe, 00000000.00000003.2070675750.0000000007AB6000.00000004.00000020.00020000.00000000.sdmp, RageMP131.exe, 00000011.00000003.2204823122.0000000007AA1000.00000004.00000020.00020000.00000000.sdmp, RageMP131.exe, 00000011.00000003.2205392926.0000000007AD0000.00000004.00000020.00020000.00000000.sdmp, RageMP131.exe, 00000011.00000003.2207595025.0000000007ACE000.00000004.00000020.00020000.00000000.sdmp, RageMP131.exe, 0000001A.00000003.2463165278.0000000007ABB000.00000004.00000020.00020000.00000000.sdmp, RageMP131.exe, 0000001A.00000003.2462740121.0000000007A99000.00000004.00000020.00020000.00000000.sdmp, RageMP131.exe, 0000001A.00000003.2466057502.0000000007AD5000.00000004.00000020.00020000.00000000.sdmp, Tx9lIpMUG2zOWeb Data.26.dr, weyqQCNm9HN2Web Data.0.dr, tcNWocR92MUuWeb Data.17.dr, ToLgTrDbYUcjWeb Data.26.dr, FxAu1a1JDtB8Web Data.0.dr, eBt1v4cLiOqEWeb Data.0.dr, fotzzxFskzb6Web Data.17.dr, 8Mse1jO6nK1IWeb Data.26.dr, 6_PbUyeA3kVjWeb Data.17.drfalse
                                                                                                                                                      		high
                                                                                                                                                      http://www.winimage.com/zLibDllDpRTpRfile.exe, 00000000.00000003.1698876622.0000000004C20000.00000004.00001000.00020000.00000000.sdmp, file.exe, 00000000.00000002.2254819923.0000000000400000.00000040.00000001.01000000.00000003.sdmp, file.exe, 00000000.00000002.2257395722.0000000004AC0000.00000040.00001000.00020000.00000000.sdmp, MPGPH131.exe, 00000008.00000002.2555613641.0000000004900000.00000040.00001000.00020000.00000000.sdmp, MPGPH131.exe, 00000008.00000003.2345569703.0000000004A60000.00000004.00001000.00020000.00000000.sdmp, MPGPH131.exe, 00000008.00000002.2552258510.0000000000400000.00000040.00000001.01000000.00000005.sdmp, MPGPH131.exe, 00000009.00000003.2355371299.0000000004A10000.00000004.00001000.00020000.00000000.sdmp, MPGPH131.exe, 00000009.00000002.2552333219.0000000000400000.00000040.00000001.01000000.00000005.sdmp, MPGPH131.exe, 00000009.00000002.2555618433.00000000048B0000.00000040.00001000.00020000.00000000.sdmp, RageMP131.exe, 00000011.00000002.2351210254.0000000004AD0000.00000040.00001000.00020000.00000000.sdmp, RageMP131.exe, 00000011.00000003.1935064684.0000000004C30000.00000004.00001000.00020000.00000000.sdmp, RageMP131.exe, 00000011.00000002.2345301493.0000000000400000.00000040.00000001.01000000.00000007.sdmp, RageMP131.exe, 0000001A.00000002.2601441093.0000000000400000.00000040.00000001.01000000.00000007.sdmp, RageMP131.exe, 0000001A.00000003.2050121383.0000000004C40000.00000004.00001000.00020000.00000000.sdmp, RageMP131.exe, 0000001A.00000002.2603802110.0000000004AE0000.00000040.00001000.00020000.00000000.sdmpfalse
                                                                                                                                                        		high

                                                                                                                                                        World Map of Contacted IPs

                                                                                                                                                        • No. of IPs < 25%
                                                                                                                                                        • 25% < No. of IPs < 50%
                                                                                                                                                        • 50% < No. of IPs < 75%
                                                                                                                                                        • 75% < No. of IPs

                                                                                                                                                        Public IPs

                                                                                                                                                        IPDomainCountryFlagASNASN NameMalicious
                                                                                                                                                        34.117.186.192
                                                                                                                                                        		ipinfo.ioUnited States
                                                                                                                                                        		139070GOOGLE-AS-APGoogleAsiaPacificPteLtdSGfalse
                                                                                                                                                        147.45.47.93
                                                                                                                                                        		unknownRussian Federation
                                                                                                                                                        		2895FREE-NET-ASFREEnetEUtrue
                                                                                                                                                        104.26.4.15
                                                                                                                                                        		db-ip.comUnited States
                                                                                                                                                        		13335CLOUDFLARENETUSfalse

                                                                                                                                                        General Information

                                                                                                                                                        Joe Sandbox version:40.0.0 Tourmaline
                                                                                                                                                        Analysis ID:1427905
                                                                                                                                                        Start date and time:2024-04-18 10:28:06 +02:00
                                                                                                                                                        Joe Sandbox product:CloudBasic
                                                                                                                                                        Overall analysis duration:0h 11m 38s
                                                                                                                                                        Hypervisor based Inspection enabled:false
                                                                                                                                                        Report type:full
                                                                                                                                                        Cookbook file name:default.jbs
                                                                                                                                                        Analysis system description:Windows 10 x64 22H2 with Office Professional Plus 2019, Chrome 117, Firefox 118, Adobe Reader DC 23, Java 8 Update 381, 7zip 23.01
                                                                                                                                                        Number of analysed new started processes analysed:43
                                                                                                                                                        Number of new started drivers analysed:0
                                                                                                                                                        Number of existing processes analysed:0
                                                                                                                                                        Number of existing drivers analysed:0
                                                                                                                                                        Number of injected processes analysed:0
                                                                                                                                                        Technologies:
                                                                                                                                                        • HCA enabled
                                                                                                                                                        • EGA enabled
                                                                                                                                                        • AMSI enabled
                                                                                                                                                        Analysis Mode:default
                                                                                                                                                        Analysis stop reason:Timeout
                                                                                                                                                        Sample name:file.exe
                                                                                                                                                        Detection:MAL
                                                                                                                                                        Classification:mal100.troj.spyw.evad.winEXE@25/125@3/3
                                                                                                                                                        EGA Information:
                                                                                                                                                        • Successful, ratio: 100%
                                                                                                                                                        HCA Information:
                                                                                                                                                        • Successful, ratio: 97%
                                                                                                                                                        • Number of executed functions: 81
                                                                                                                                                        • Number of non-executed functions: 0
                                                                                                                                                        Cookbook Comments:
                                                                                                                                                        • Found application associated with file extension: .exe

                                                                                                                                                        Warnings

                                                                                                                                                        • Exclude process from analysis (whitelisted): MpCmdRun.exe, WerFault.exe, SIHClient.exe, conhost.exe, svchost.exe
                                                                                                                                                        • Excluded domains from analysis (whitelisted): ocsp.digicert.com, slscr.update.microsoft.com, ctldl.windowsupdate.com, fe3cr.delivery.mp.microsoft.com
                                                                                                                                                        • Not all processes where analyzed, report is missing behavior information
                                                                                                                                                        • Report creation exceeded maximum time and may have missing disassembly code information.
                                                                                                                                                        • Report size exceeded maximum capacity and may have missing behavior information.
                                                                                                                                                        • Report size exceeded maximum capacity and may have missing disassembly code.
                                                                                                                                                        • Report size getting too big, too many NtCreateFile calls found.
                                                                                                                                                        • Report size getting too big, too many NtOpenKeyEx calls found.
                                                                                                                                                        • Report size getting too big, too many NtQueryValueKey calls found.

                                                                                                                                                        Simulations

                                                                                                                                                        Behavior and APIs

                                                                                                                                                        TimeTypeDescription
                                                                                                                                                        09:29:03Task SchedulerRun new task: MPGPH131 HR path: C:\ProgramData\MPGPH131\MPGPH131.exe
                                                                                                                                                        09:29:03Task SchedulerRun new task: MPGPH131 LG path: C:\ProgramData\MPGPH131\MPGPH131.exe
                                                                                                                                                        09:29:04AutostartRun: HKCU\Software\Microsoft\Windows\CurrentVersion\Run RageMP131 C:\Users\user\AppData\Local\RageMP131\RageMP131.exe
                                                                                                                                                        09:29:15AutostartRun: HKCU64\Software\Microsoft\Windows\CurrentVersion\Run RageMP131 C:\Users\user\AppData\Local\RageMP131\RageMP131.exe

                                                                                                                                                        Joe Sandbox View / Context

                                                                                                                                                        IPs

                                                                                                                                                        MatchAssociated Sample Name / URLSHA 256DetectionThreat NameLinkContext
                                                                                                                                                        34.117.186.192SecuriteInfo.com.Win32.Evo-gen.24318.16217.exeGet hashmaliciousUnknownBrowse
                                                                                                                                                        • ipinfo.io/json
                                                                                                                                                        SecuriteInfo.com.Win32.Evo-gen.28489.31883.exeGet hashmaliciousUnknownBrowse
                                                                                                                                                        • ipinfo.io/json
                                                                                                                                                        Raptor.HardwareService.Setup 1.msiGet hashmaliciousUnknownBrowse
                                                                                                                                                        • ipinfo.io/ip
                                                                                                                                                        Conferma_Pdf_Editor.exeGet hashmaliciousPlanet StealerBrowse
                                                                                                                                                        • ipinfo.io/
                                                                                                                                                        Conferma_Pdf_Editor.exeGet hashmaliciousPlanet StealerBrowse
                                                                                                                                                        • ipinfo.io/
                                                                                                                                                        w.shGet hashmaliciousXmrigBrowse
                                                                                                                                                        • /ip
                                                                                                                                                        Raptor.HardwareService.Setup_2.3.6.0.msiGet hashmaliciousUnknownBrowse
                                                                                                                                                        • ipinfo.io/ip
                                                                                                                                                        Raptor.HardwareService.Setup_2.3.6.0.msiGet hashmaliciousUnknownBrowse
                                                                                                                                                        • ipinfo.io/ip
                                                                                                                                                        uUsgzQ3DoW.exeGet hashmaliciousRedLineBrowse
                                                                                                                                                        • ipinfo.io/ip
                                                                                                                                                        8BZBgbeCcz.exeGet hashmaliciousRedLineBrowse
                                                                                                                                                        • ipinfo.io/ip
                                                                                                                                                        147.45.47.93dendy.exeGet hashmaliciousRisePro StealerBrowse
                                                                                                                                                          Q73YlTAmWe.exeGet hashmaliciousRisePro StealerBrowse
                                                                                                                                                            file.exeGet hashmaliciousRisePro StealerBrowse
                                                                                                                                                              7AdIyN5s2K.exeGet hashmaliciousRisePro StealerBrowse
                                                                                                                                                                YUoiqJo8Sk.exeGet hashmaliciousRisePro StealerBrowse
                                                                                                                                                                  JR58WqLhRl.exeGet hashmaliciousRisePro StealerBrowse
                                                                                                                                                                    file.exeGet hashmaliciousRisePro StealerBrowse
                                                                                                                                                                      SecuriteInfo.com.Trojan.Siggen28.25504.27914.23637.exeGet hashmaliciousGlupteba, LummaC Stealer, Mars Stealer, PureLog Stealer, RedLine, RisePro Stealer, SmokeLoaderBrowse
                                                                                                                                                                        I44O512o10.exeGet hashmaliciousRisePro StealerBrowse
                                                                                                                                                                          Jt0SXpowC4.exeGet hashmaliciousRisePro StealerBrowse
                                                                                                                                                                            104.26.4.15#Ud3ec#Ud2b8#Ud3f4#Ub9ac#Uc624.exeGet hashmaliciousNemty, XmrigBrowse
                                                                                                                                                                            • api.db-ip.com/v2/free/102.129.152.212/countryName

                                                                                                                                                                            Domains

                                                                                                                                                                            MatchAssociated Sample Name / URLSHA 256DetectionThreat NameLinkContext
                                                                                                                                                                            ipinfo.iodendy.exeGet hashmaliciousRisePro StealerBrowse
                                                                                                                                                                            • 34.117.186.192
                                                                                                                                                                            Sp#U251c#U0434ti.exeGet hashmaliciousUnknownBrowse
                                                                                                                                                                            • 34.117.186.192
                                                                                                                                                                            EpsilonFruit.exeGet hashmaliciousPafishBrowse
                                                                                                                                                                            • 34.117.186.192
                                                                                                                                                                            Q73YlTAmWe.exeGet hashmaliciousRisePro StealerBrowse
                                                                                                                                                                            • 34.117.186.192
                                                                                                                                                                            file.exeGet hashmaliciousRisePro StealerBrowse
                                                                                                                                                                            • 34.117.186.192
                                                                                                                                                                            BetaUnfrated.exeGet hashmaliciousPafishBrowse
                                                                                                                                                                            • 34.117.186.192
                                                                                                                                                                            nsis-installer.exeGet hashmaliciousUnknownBrowse
                                                                                                                                                                            • 34.117.186.192
                                                                                                                                                                            nsis-installer.exeGet hashmaliciousUnknownBrowse
                                                                                                                                                                            • 34.117.186.192
                                                                                                                                                                            file.exeGet hashmaliciousClipboard Hijacker, RisePro StealerBrowse
                                                                                                                                                                            • 34.117.186.192
                                                                                                                                                                            SecuriteInfo.com.FileRepMalware.18165.2747.exeGet hashmaliciousUnknownBrowse
                                                                                                                                                                            • 34.117.186.192
                                                                                                                                                                            db-ip.comdendy.exeGet hashmaliciousRisePro StealerBrowse
                                                                                                                                                                            • 104.26.5.15
                                                                                                                                                                            Q73YlTAmWe.exeGet hashmaliciousRisePro StealerBrowse
                                                                                                                                                                            • 104.26.4.15
                                                                                                                                                                            file.exeGet hashmaliciousRisePro StealerBrowse
                                                                                                                                                                            • 104.26.4.15
                                                                                                                                                                            file.exeGet hashmaliciousClipboard Hijacker, RisePro StealerBrowse
                                                                                                                                                                            • 172.67.75.166
                                                                                                                                                                            7AdIyN5s2K.exeGet hashmaliciousRisePro StealerBrowse
                                                                                                                                                                            • 104.26.5.15
                                                                                                                                                                            file.exeGet hashmaliciousRisePro StealerBrowse
                                                                                                                                                                            • 104.26.5.15
                                                                                                                                                                            file.exeGet hashmaliciousClipboard Hijacker, RisePro StealerBrowse
                                                                                                                                                                            • 104.26.5.15
                                                                                                                                                                            YUoiqJo8Sk.exeGet hashmaliciousRisePro StealerBrowse
                                                                                                                                                                            • 104.26.5.15
                                                                                                                                                                            JR58WqLhRl.exeGet hashmaliciousRisePro StealerBrowse
                                                                                                                                                                            • 104.26.4.15
                                                                                                                                                                            TANQUIVUIA.exeGet hashmaliciousLummaC, RisePro StealerBrowse
                                                                                                                                                                            • 172.67.75.166

                                                                                                                                                                            ASNs

                                                                                                                                                                            MatchAssociated Sample Name / URLSHA 256DetectionThreat NameLinkContext
                                                                                                                                                                            GOOGLE-AS-APGoogleAsiaPacificPteLtdSGdendy.exeGet hashmaliciousRisePro StealerBrowse
                                                                                                                                                                            • 34.117.186.192
                                                                                                                                                                            Sp#U251c#U0434ti.exeGet hashmaliciousUnknownBrowse
                                                                                                                                                                            • 34.117.186.192
                                                                                                                                                                            SecuriteInfo.com.Win64.CrypterX-gen.2144.26023.exeGet hashmaliciousGlupteba, PureLog Stealer, zgRATBrowse
                                                                                                                                                                            • 34.117.186.192
                                                                                                                                                                            EpsilonFruit.exeGet hashmaliciousPafishBrowse
                                                                                                                                                                            • 34.117.186.192
                                                                                                                                                                            Q73YlTAmWe.exeGet hashmaliciousRisePro StealerBrowse
                                                                                                                                                                            • 34.117.186.192
                                                                                                                                                                            file.exeGet hashmaliciousRisePro StealerBrowse
                                                                                                                                                                            • 34.117.186.192
                                                                                                                                                                            http://www.indeks.pt/Get hashmaliciousUnknownBrowse
                                                                                                                                                                            • 34.117.198.124
                                                                                                                                                                            BetaUnfrated.exeGet hashmaliciousPafishBrowse
                                                                                                                                                                            • 34.117.186.192
                                                                                                                                                                            nsis-installer.exeGet hashmaliciousUnknownBrowse
                                                                                                                                                                            • 34.117.186.192
                                                                                                                                                                            nsis-installer.exeGet hashmaliciousUnknownBrowse
                                                                                                                                                                            • 34.117.186.192
                                                                                                                                                                            FREE-NET-ASFREEnetEUdendy.exeGet hashmaliciousRisePro StealerBrowse
                                                                                                                                                                            • 147.45.47.93
                                                                                                                                                                            SecuriteInfo.com.Win64.CrypterX-gen.2144.26023.exeGet hashmaliciousGlupteba, PureLog Stealer, zgRATBrowse
                                                                                                                                                                            • 193.233.132.175
                                                                                                                                                                            Q73YlTAmWe.exeGet hashmaliciousRisePro StealerBrowse
                                                                                                                                                                            • 147.45.47.93
                                                                                                                                                                            file.exeGet hashmaliciousRisePro StealerBrowse
                                                                                                                                                                            • 147.45.47.93
                                                                                                                                                                            https://casestudybuddy.comGet hashmaliciousUnknownBrowse
                                                                                                                                                                            • 147.45.47.87
                                                                                                                                                                            PBZcC2ge1z.exeGet hashmaliciousPureLog Stealer, RHADAMANTHYSBrowse
                                                                                                                                                                            • 147.45.77.238
                                                                                                                                                                            file.exeGet hashmaliciousClipboard Hijacker, RisePro StealerBrowse
                                                                                                                                                                            • 193.233.132.175
                                                                                                                                                                            7AdIyN5s2K.exeGet hashmaliciousRisePro StealerBrowse
                                                                                                                                                                            • 147.45.47.93
                                                                                                                                                                            file.exeGet hashmaliciousClipboard Hijacker, RisePro StealerBrowse
                                                                                                                                                                            • 193.233.132.175
                                                                                                                                                                            YUoiqJo8Sk.exeGet hashmaliciousRisePro StealerBrowse
                                                                                                                                                                            • 147.45.47.93
                                                                                                                                                                            CLOUDFLARENETUSdendy.exeGet hashmaliciousRisePro StealerBrowse
                                                                                                                                                                            • 104.26.5.15
                                                                                                                                                                            5Dw2hTQmiB.exeGet hashmaliciousLummaCBrowse
                                                                                                                                                                            • 104.21.44.10
                                                                                                                                                                            Purchase Order PDF.exeGet hashmaliciousAgentTeslaBrowse
                                                                                                                                                                            • 104.26.13.205
                                                                                                                                                                            file.exeGet hashmaliciousLummaCBrowse
                                                                                                                                                                            • 104.21.44.10
                                                                                                                                                                            Leoch-Purchase Order.exeGet hashmaliciousAgentTeslaBrowse
                                                                                                                                                                            • 172.67.74.152
                                                                                                                                                                            p silp AI240190.pdf.exeGet hashmaliciousAgentTeslaBrowse
                                                                                                                                                                            • 104.26.12.205
                                                                                                                                                                            https://ortelia.com/Downloads/Curator/CuratorSetup.exeGet hashmaliciousHavocBrowse
                                                                                                                                                                            • 1.1.1.1
                                                                                                                                                                            https://app.esign.docusign.com/e/er?utm_campaign=GBL_XX_DBU_NEW_2307_FreetoTrialUnlock_Email1AU&utm_medium=email&utm_source=Eloqua&elqCampaignId=29542&s=566810826&lid=32871&elqTrackId=1034fb987fd44c9a9a4d0833ff06a55d&elq=89d72859fe264966a0176d4309dbb1a6&elqaid=60251&elqat=1Get hashmaliciousUnknownBrowse
                                                                                                                                                                            • 172.64.151.101
                                                                                                                                                                            https://ortelia.com/download-ortelia-curator/Get hashmaliciousHavocBrowse
                                                                                                                                                                            • 1.1.1.1
                                                                                                                                                                            SecuriteInfo.com.Win32.PWSX-gen.1728.1300.exeGet hashmaliciousAgentTeslaBrowse
                                                                                                                                                                            • 104.26.12.205

                                                                                                                                                                            JA3 Fingerprints

                                                                                                                                                                            MatchAssociated Sample Name / URLSHA 256DetectionThreat NameLinkContext
                                                                                                                                                                            a0e9f5d64349fb13191bc781f81f42e1dendy.exeGet hashmaliciousRisePro StealerBrowse
                                                                                                                                                                            • 34.117.186.192
                                                                                                                                                                            • 104.26.4.15
                                                                                                                                                                            5Dw2hTQmiB.exeGet hashmaliciousLummaCBrowse
                                                                                                                                                                            • 34.117.186.192
                                                                                                                                                                            • 104.26.4.15
                                                                                                                                                                            Quotation 20241804.exeGet hashmaliciousRemcos, DBatLoaderBrowse
                                                                                                                                                                            • 34.117.186.192
                                                                                                                                                                            • 104.26.4.15
                                                                                                                                                                            file.exeGet hashmaliciousLummaCBrowse
                                                                                                                                                                            • 34.117.186.192
                                                                                                                                                                            • 104.26.4.15
                                                                                                                                                                            ORDER-CONFIRMATION-DETAILS-000235374564.cmdGet hashmaliciousAgentTesla, DBatLoader, PureLog Stealer, RedLineBrowse
                                                                                                                                                                            • 34.117.186.192
                                                                                                                                                                            • 104.26.4.15
                                                                                                                                                                            file.exeGet hashmaliciousLummaCBrowse
                                                                                                                                                                            • 34.117.186.192
                                                                                                                                                                            • 104.26.4.15
                                                                                                                                                                            payload.jsGet hashmaliciousUnknownBrowse
                                                                                                                                                                            • 34.117.186.192
                                                                                                                                                                            • 104.26.4.15
                                                                                                                                                                            payload.jsGet hashmaliciousUnknownBrowse
                                                                                                                                                                            • 34.117.186.192
                                                                                                                                                                            • 104.26.4.15
                                                                                                                                                                            file.exeGet hashmaliciousLummaCBrowse
                                                                                                                                                                            • 34.117.186.192
                                                                                                                                                                            • 104.26.4.15
                                                                                                                                                                            SecuriteInfo.com.Win32.RATX-gen.12024.12837.exeGet hashmaliciousRemcos, DBatLoaderBrowse
                                                                                                                                                                            • 34.117.186.192
                                                                                                                                                                            • 104.26.4.15

                                                                                                                                                                            Dropped Files

                                                                                                                                                                            No context

                                                                                                                                                                            Created / dropped Files

                                                                                                                                                                            C:\ProgramData\MPGPH131\MPGPH131.exe

                                                                                                                                                                            Download File
                                                                                                                                                                            Process:C:\Users\user\Desktop\file.exe
                                                                                                                                                                            File Type:PE32 executable (GUI) Intel 80386, for MS Windows
                                                                                                                                                                            Category:dropped
                                                                                                                                                                            Size (bytes):962560
                                                                                                                                                                            Entropy (8bit):7.713192136777905
                                                                                                                                                                            Encrypted:false
                                                                                                                                                                            SSDEEP:12288:oekLV5eBOkw6Qhe4Yh5wV/uVJuEk6sP4lX8DbDK45dg/bdlh84LZ8Xt8quJsHmrE:on6rhau/OglUbD5yb5LLuXBuJsH4
                                                                                                                                                                            MD5:265D5B8B9F603F0F5EF62F2C27449607
                                                                                                                                                                            SHA1:39576D6D8388DEA489946141DBCCF9CF5FE3A28F
                                                                                                                                                                            SHA-256:948D096A3931A22F116B93FFEEFB3A374834D8EB578620C0FFC83F3E468EED81
                                                                                                                                                                            SHA-512:9D4AC79A62FBD0CB1D76C48848AF7863DDA72BD16368250A2258B3D30A4DDDCB24C38AC62555222706041A5073CBC39D291B14ECDF222C7E04ADD5374403AF66
                                                                                                                                                                            Malicious:true
                                                                                                                                                                            Antivirus:
                                                                                                                                                                            • Antivirus: Avira, Detection: 100%
                                                                                                                                                                            • Antivirus: Joe Sandbox ML, Detection: 100%
                                                                                                                                                                            • Antivirus: ReversingLabs, Detection: 47%
                                                                                                                                                                            • Antivirus: Virustotal, Detection: 48%, Browse
                                                                                                                                                                            Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......................................................................................................PE..L....0.e............................g............@.................................:........................................(..d.......p........................... ...8...................h....... ...@............................................text.............................. ..`.rdata.............................@..@.data....Q...@.......&..............@....rsrc...p...........................@..@................................................................................................................................................................................................................................................................................................................................................................................

                                                                                                                                                                            C:\ProgramData\MPGPH131\MPGPH131.exe:Zone.Identifier

                                                                                                                                                                            Download File
                                                                                                                                                                            Process:C:\Users\user\Desktop\file.exe
                                                                                                                                                                            File Type:ASCII text, with CRLF line terminators
                                                                                                                                                                            Category:dropped
                                                                                                                                                                            Size (bytes):26
                                                                                                                                                                            Entropy (8bit):3.95006375643621
                                                                                                                                                                            Encrypted:false
                                                                                                                                                                            SSDEEP:3:ggPYV:rPYV
                                                                                                                                                                            MD5:187F488E27DB4AF347237FE461A079AD
                                                                                                                                                                            SHA1:6693BA299EC1881249D59262276A0D2CB21F8E64
                                                                                                                                                                            SHA-256:255A65D30841AB4082BD9D0EEA79D49C5EE88F56136157D8D6156AEF11C12309
                                                                                                                                                                            SHA-512:89879F237C0C051EBE784D0690657A6827A312A82735DA42DAD5F744D734FC545BEC9642C19D14C05B2F01FF53BC731530C92F7327BB7DC9CDE1B60FB21CD64E
                                                                                                                                                                            Malicious:false
                                                                                                                                                                            Preview:[ZoneTransfer]....ZoneId=0

                                                                                                                                                                            C:\ProgramData\Microsoft\Windows\WER\ReportQueue\AppCrash_RageMP131.exe_3b166e6571299cee7343626b59f7d7bbe157b8c9_45086259_c58001ed-2ce3-4e1e-9019-867a112921c2\Report.wer

                                                                                                                                                                            Download File
                                                                                                                                                                            Process:C:\Windows\SysWOW64\WerFault.exe
                                                                                                                                                                            File Type:Unicode text, UTF-16, little-endian text, with CRLF line terminators
                                                                                                                                                                            Category:dropped
                                                                                                                                                                            Size (bytes):65536
                                                                                                                                                                            Entropy (8bit):0.9086736091529007
                                                                                                                                                                            Encrypted:false
                                                                                                                                                                            SSDEEP:96:qlqXTP2/syhqjoA7JfPQXIDcQnc6rCcEhcw3rL+HbHg/8BRTf3ZFEOyKZoxm9nFc:nP2/qk056rgjpSZrYFzuiFAZ24IO8Wf
                                                                                                                                                                            MD5:44DCD5695C3596C86950762358FC312B
                                                                                                                                                                            SHA1:FA67FBE5F2E8A8DBDF48B2EDE6FF8949108D7ECC
                                                                                                                                                                            SHA-256:AC095DBAF59A398776CC78FB8AF73BEEB95880CD4AA4D6391B922BF323CB8364
                                                                                                                                                                            SHA-512:A34C93CDEF10726F3E35A4C425A96D90413261B286A92F4B3441E3FF9B7E3FD466E417C80E594B8AB048C916DACBEFE4E55A1639F3B6EEA0022122351B598BC2
                                                                                                                                                                            Malicious:false
                                                                                                                                                                            Preview:..V.e.r.s.i.o.n.=.1.....E.v.e.n.t.T.y.p.e.=.A.P.P.C.R.A.S.H.....E.v.e.n.t.T.i.m.e.=.1.3.3.5.7.9.0.2.5.6.8.8.8.1.8.5.3.7.....R.e.p.o.r.t.T.y.p.e.=.2.....C.o.n.s.e.n.t.=.1.....R.e.p.o.r.t.I.d.e.n.t.i.f.i.e.r.=.c.5.8.0.0.1.e.d.-.2.c.e.3.-.4.e.1.e.-.9.0.1.9.-.8.6.7.a.1.1.2.9.2.1.c.2.....I.n.t.e.g.r.a.t.o.r.R.e.p.o.r.t.I.d.e.n.t.i.f.i.e.r.=.3.c.f.c.1.a.3.d.-.8.7.4.8.-.4.4.e.f.-.9.6.3.2.-.f.c.8.3.a.7.3.e.b.b.a.9.....W.o.w.6.4.H.o.s.t.=.3.4.4.0.4.....W.o.w.6.4.G.u.e.s.t.=.3.3.2.....N.s.A.p.p.N.a.m.e.=.R.a.g.e.M.P.1.3.1...e.x.e.....A.p.p.S.e.s.s.i.o.n.G.u.i.d.=.0.0.0.0.1.f.3.4.-.0.0.0.1.-.0.0.1.4.-.d.1.a.0.-.4.3.7.f.6.a.9.1.d.a.0.1.....T.a.r.g.e.t.A.p.p.I.d.=.W.:.0.0.0.6.9.4.c.8.a.f.e.7.0.8.2.7.c.2.d.4.6.a.b.3.3.2.9.a.1.2.c.5.5.3.b.5.0.0.0.0.f.f.f.f.!.0.0.0.0.3.9.5.7.6.d.6.d.8.3.8.8.d.e.a.4.8.9.9.4.6.1.4.1.d.b.c.c.f.9.c.f.5.f.e.3.a.2.8.f.!.R.a.g.e.M.P.1.3.1...e.x.e.....T.a.r.g.e.t.A.p.p.V.e.r.=.2.0.2.4././.0.4././.1.7.:.0.9.:.4.4.:.4.4.!.0.!.R.a.g.e.M.P.1.3.1...e.x.e.....B.o.o.t.I.d.=.4.2.9.4.

                                                                                                                                                                            C:\ProgramData\Microsoft\Windows\WER\ReportQueue\AppCrash_RageMP131.exe_3b166e6571299cee7343626b59f7d7bbe157b8c9_45086259_ccde6796-0630-43ad-93e5-81a73d475583\Report.wer

                                                                                                                                                                            Download File
                                                                                                                                                                            Process:C:\Windows\SysWOW64\WerFault.exe
                                                                                                                                                                            File Type:Unicode text, UTF-16, little-endian text, with CRLF line terminators
                                                                                                                                                                            Category:dropped
                                                                                                                                                                            Size (bytes):65536
                                                                                                                                                                            Entropy (8bit):0.9487723351229108
                                                                                                                                                                            Encrypted:false
                                                                                                                                                                            SSDEEP:192:vSPc/qk056rgjpSZrYKzuiFAZ24IO8Wf:qPsqf56rgjYzuiFAY4IO8Wf
                                                                                                                                                                            MD5:D2F49D5142CF7B9199E4B1291F3D8465
                                                                                                                                                                            SHA1:481949304E1B8C26ED92D5B0C089FD8D25A42DB2
                                                                                                                                                                            SHA-256:3C1CB55CFD5B02DDB4FF3DB3D4493F45B21F20A80D5611FAE406C0A621EAE79E
                                                                                                                                                                            SHA-512:FD41397F17B02B4FB40850F0C22CFE54287E477B6FF65FEFFF7F68E9307CA8C3A0929058EFECBC6A867AA0955127328528A14DD1945C2BF5C4B9317AD4043696
                                                                                                                                                                            Malicious:false
                                                                                                                                                                            Preview:..V.e.r.s.i.o.n.=.1.....E.v.e.n.t.T.y.p.e.=.A.P.P.C.R.A.S.H.....E.v.e.n.t.T.i.m.e.=.1.3.3.5.7.9.0.2.5.7.5.2.4.1.9.8.1.6.....R.e.p.o.r.t.T.y.p.e.=.2.....C.o.n.s.e.n.t.=.1.....R.e.p.o.r.t.I.d.e.n.t.i.f.i.e.r.=.c.c.d.e.6.7.9.6.-.0.6.3.0.-.4.3.a.d.-.9.3.e.5.-.8.1.a.7.3.d.4.7.5.5.8.3.....I.n.t.e.g.r.a.t.o.r.R.e.p.o.r.t.I.d.e.n.t.i.f.i.e.r.=.2.0.2.0.8.9.7.7.-.2.7.8.d.-.4.a.5.a.-.8.e.d.6.-.c.2.6.8.4.9.1.e.6.7.2.1.....W.o.w.6.4.H.o.s.t.=.3.4.4.0.4.....W.o.w.6.4.G.u.e.s.t.=.3.3.2.....N.s.A.p.p.N.a.m.e.=.R.a.g.e.M.P.1.3.1...e.x.e.....A.p.p.S.e.s.s.i.o.n.G.u.i.d.=.0.0.0.0.1.f.3.4.-.0.0.0.1.-.0.0.1.4.-.d.1.a.0.-.4.3.7.f.6.a.9.1.d.a.0.1.....T.a.r.g.e.t.A.p.p.I.d.=.W.:.0.0.0.6.9.4.c.8.a.f.e.7.0.8.2.7.c.2.d.4.6.a.b.3.3.2.9.a.1.2.c.5.5.3.b.5.0.0.0.0.f.f.f.f.!.0.0.0.0.3.9.5.7.6.d.6.d.8.3.8.8.d.e.a.4.8.9.9.4.6.1.4.1.d.b.c.c.f.9.c.f.5.f.e.3.a.2.8.f.!.R.a.g.e.M.P.1.3.1...e.x.e.....T.a.r.g.e.t.A.p.p.V.e.r.=.2.0.2.4././.0.4././.1.7.:.0.9.:.4.4.:.4.4.!.0.!.R.a.g.e.M.P.1.3.1...e.x.e.....B.o.o.t.I.d.=.4.2.9.4.

                                                                                                                                                                            C:\ProgramData\Microsoft\Windows\WER\ReportQueue\AppCrash_RageMP131.exe_3b166e6571299cee7343626b59f7d7bbe157b8c9_45086259_dfa15fe3-4273-4d5b-97f7-438a6adc3f79\Report.wer

                                                                                                                                                                            Download File
                                                                                                                                                                            Process:C:\Windows\SysWOW64\WerFault.exe
                                                                                                                                                                            File Type:Unicode text, UTF-16, little-endian text, with CRLF line terminators
                                                                                                                                                                            Category:dropped
                                                                                                                                                                            Size (bytes):65536
                                                                                                                                                                            Entropy (8bit):0.9485051067992631
                                                                                                                                                                            Encrypted:false
                                                                                                                                                                            SSDEEP:192:eyRPe/qk056rgjpSZrYKzuiFAZ24IO8Wf:eyRP+qf56rgjYzuiFAY4IO8Wf
                                                                                                                                                                            MD5:8F29F23BFCE648A84B7248B90F70A13E
                                                                                                                                                                            SHA1:B7F4521DA7855D3BB81A48259F93573A1CE98331
                                                                                                                                                                            SHA-256:85FCC6B4802C20BA0B03B2ADAD935850FFB2774DA36C211E3ABB2AC7E686B434
                                                                                                                                                                            SHA-512:8EC842B1C1000048EC5EAB9F32CE2A76ADA1EC0A67FDD3D3EDA132DB006534D750E39CDAE58B1F1D15161E8E9245D7279C3E021360DB23D78A5DE1F0FAA30C62
                                                                                                                                                                            Malicious:false
                                                                                                                                                                            Preview:..V.e.r.s.i.o.n.=.1.....E.v.e.n.t.T.y.p.e.=.A.P.P.C.R.A.S.H.....E.v.e.n.t.T.i.m.e.=.1.3.3.5.7.9.0.2.5.7.6.9.7.9.6.5.8.7.....R.e.p.o.r.t.T.y.p.e.=.2.....C.o.n.s.e.n.t.=.1.....R.e.p.o.r.t.I.d.e.n.t.i.f.i.e.r.=.d.f.a.1.5.f.e.3.-.4.2.7.3.-.4.d.5.b.-.9.7.f.7.-.4.3.8.a.6.a.d.c.3.f.7.9.....I.n.t.e.g.r.a.t.o.r.R.e.p.o.r.t.I.d.e.n.t.i.f.i.e.r.=.9.c.a.3.a.1.b.1.-.b.3.d.d.-.4.4.9.2.-.8.1.7.9.-.d.8.e.5.2.1.f.e.2.1.e.b.....W.o.w.6.4.H.o.s.t.=.3.4.4.0.4.....W.o.w.6.4.G.u.e.s.t.=.3.3.2.....N.s.A.p.p.N.a.m.e.=.R.a.g.e.M.P.1.3.1...e.x.e.....A.p.p.S.e.s.s.i.o.n.G.u.i.d.=.0.0.0.0.1.f.3.4.-.0.0.0.1.-.0.0.1.4.-.d.1.a.0.-.4.3.7.f.6.a.9.1.d.a.0.1.....T.a.r.g.e.t.A.p.p.I.d.=.W.:.0.0.0.6.9.4.c.8.a.f.e.7.0.8.2.7.c.2.d.4.6.a.b.3.3.2.9.a.1.2.c.5.5.3.b.5.0.0.0.0.f.f.f.f.!.0.0.0.0.3.9.5.7.6.d.6.d.8.3.8.8.d.e.a.4.8.9.9.4.6.1.4.1.d.b.c.c.f.9.c.f.5.f.e.3.a.2.8.f.!.R.a.g.e.M.P.1.3.1...e.x.e.....T.a.r.g.e.t.A.p.p.V.e.r.=.2.0.2.4././.0.4././.1.7.:.0.9.:.4.4.:.4.4.!.0.!.R.a.g.e.M.P.1.3.1...e.x.e.....B.o.o.t.I.d.=.4.2.9.4.

                                                                                                                                                                            C:\ProgramData\Microsoft\Windows\WER\ReportQueue\AppCrash_file.exe_4594c263b2b2fddaf2855c7efb1b922584ccf4c_804fa867_cf5d468c-292b-40ba-84bc-75df7a1336d9\Report.wer

                                                                                                                                                                            Download File
                                                                                                                                                                            Process:C:\Windows\SysWOW64\WerFault.exe
                                                                                                                                                                            File Type:Unicode text, UTF-16, little-endian text, with CRLF line terminators
                                                                                                                                                                            Category:dropped
                                                                                                                                                                            Size (bytes):65536
                                                                                                                                                                            Entropy (8bit):1.0360082152974495
                                                                                                                                                                            Encrypted:false
                                                                                                                                                                            SSDEEP:192:IgBL3BxvBPl00JsAnbcAgI3jpSZrYTnkzuiFAZ24IO8TVB:Ik7vBNvJsAnbcA3j5kzuiFAY4IO8X
                                                                                                                                                                            MD5:F0BF6CDECE47724B174B8D0CA96E4047
                                                                                                                                                                            SHA1:6DE159AAE508F3B140509D664561DEEA4EF05EDA
                                                                                                                                                                            SHA-256:AEB13CBDE7EC76A1D9F6238666C45B2D5FDCF61147F69333FB2F5A3BD1F00DB4
                                                                                                                                                                            SHA-512:1A0AABA4ED7F377B5EB220FA036477D31ACAC05CFCF00648267C7B61F96CED945A61ABB6439C630BA6EB3E84592B5C894190465D2F2F7B83068EFB33FE88134D
                                                                                                                                                                            Malicious:false
                                                                                                                                                                            Preview:..V.e.r.s.i.o.n.=.1.....E.v.e.n.t.T.y.p.e.=.A.P.P.C.R.A.S.H.....E.v.e.n.t.T.i.m.e.=.1.3.3.5.7.9.0.2.5.7.3.4.4.5.7.2.3.7.....R.e.p.o.r.t.T.y.p.e.=.2.....C.o.n.s.e.n.t.=.1.....R.e.p.o.r.t.I.d.e.n.t.i.f.i.e.r.=.c.f.5.d.4.6.8.c.-.2.9.2.b.-.4.0.b.a.-.8.4.b.c.-.7.5.d.f.7.a.1.3.3.6.d.9.....I.n.t.e.g.r.a.t.o.r.R.e.p.o.r.t.I.d.e.n.t.i.f.i.e.r.=.5.8.5.0.2.7.c.1.-.b.f.8.b.-.4.2.4.3.-.8.2.5.4.-.e.f.5.5.9.f.6.6.a.2.9.8.....W.o.w.6.4.H.o.s.t.=.3.4.4.0.4.....W.o.w.6.4.G.u.e.s.t.=.3.3.2.....N.s.A.p.p.N.a.m.e.=.f.i.l.e...e.x.e.....A.p.p.S.e.s.s.i.o.n.G.u.i.d.=.0.0.0.0.1.c.a.0.-.0.0.0.1.-.0.0.1.4.-.3.e.d.0.-.f.3.7.2.6.a.9.1.d.a.0.1.....T.a.r.g.e.t.A.p.p.I.d.=.W.:.0.0.0.6.7.e.4.9.2.d.7.6.8.e.7.9.7.3.1.6.2.4.b.c.d.f.2.e.7.6.1.5.f.9.1.8.0.0.0.0.f.f.f.f.!.0.0.0.0.3.9.5.7.6.d.6.d.8.3.8.8.d.e.a.4.8.9.9.4.6.1.4.1.d.b.c.c.f.9.c.f.5.f.e.3.a.2.8.f.!.f.i.l.e...e.x.e.....T.a.r.g.e.t.A.p.p.V.e.r.=.2.0.2.4././.0.4././.1.7.:.0.9.:.4.4.:.4.4.!.0.!.f.i.l.e...e.x.e.....B.o.o.t.I.d.=.4.2.9.4.9.6.7.2.9.5.....S.e.r.v.i.c.e.

                                                                                                                                                                            C:\ProgramData\Microsoft\Windows\WER\ReportQueue\AppCrash_file.exe_4594c263b2b2fddaf2855c7efb1b922584ccf4c_804fa867_fb3b76dc-3723-4c12-95a8-3eb742cb3382\Report.wer

                                                                                                                                                                            Download File
                                                                                                                                                                            Process:C:\Windows\SysWOW64\WerFault.exe
                                                                                                                                                                            File Type:Unicode text, UTF-16, little-endian text, with CRLF line terminators
                                                                                                                                                                            Category:dropped
                                                                                                                                                                            Size (bytes):65536
                                                                                                                                                                            Entropy (8bit):1.0362499842329518
                                                                                                                                                                            Encrypted:false
                                                                                                                                                                            SSDEEP:192:iBL3Bxv7Pl00JsAnbcAgI3jpSZrYTnkzuiFAZ24IO8TVB:i7v7NvJsAnbcA3j5kzuiFAY4IO8X
                                                                                                                                                                            MD5:118065AC260CABBAF906DBC130191207
                                                                                                                                                                            SHA1:B6392C689B1E9CF1EDDB79C476FEF90144AEBB3F
                                                                                                                                                                            SHA-256:C16716A5CD105E477848B2BCABC9F10F972C3C651FE56D7B095DB526ED06C1DB
                                                                                                                                                                            SHA-512:12B7FF3241421B62A25DD84384B0D56FB407C3C98A80AE47BA7AA3323C9A17AE627F1F5BDA9023552F84B24B2F081EA10F97A0FEB3A2B5211C3D8E155B7A0D39
                                                                                                                                                                            Malicious:false
                                                                                                                                                                            Preview:..V.e.r.s.i.o.n.=.1.....E.v.e.n.t.T.y.p.e.=.A.P.P.C.R.A.S.H.....E.v.e.n.t.T.i.m.e.=.1.3.3.5.7.9.0.2.5.7.5.9.7.8.4.2.1.5.....R.e.p.o.r.t.T.y.p.e.=.2.....C.o.n.s.e.n.t.=.1.....R.e.p.o.r.t.I.d.e.n.t.i.f.i.e.r.=.f.b.3.b.7.6.d.c.-.3.7.2.3.-.4.c.1.2.-.9.5.a.8.-.3.e.b.7.4.2.c.b.3.3.8.2.....I.n.t.e.g.r.a.t.o.r.R.e.p.o.r.t.I.d.e.n.t.i.f.i.e.r.=.6.8.4.9.8.a.4.0.-.b.1.c.f.-.4.c.3.0.-.a.d.0.c.-.b.6.6.9.3.c.0.d.a.9.5.1.....W.o.w.6.4.H.o.s.t.=.3.4.4.0.4.....W.o.w.6.4.G.u.e.s.t.=.3.3.2.....N.s.A.p.p.N.a.m.e.=.f.i.l.e...e.x.e.....A.p.p.S.e.s.s.i.o.n.G.u.i.d.=.0.0.0.0.1.c.a.0.-.0.0.0.1.-.0.0.1.4.-.3.e.d.0.-.f.3.7.2.6.a.9.1.d.a.0.1.....T.a.r.g.e.t.A.p.p.I.d.=.W.:.0.0.0.6.7.e.4.9.2.d.7.6.8.e.7.9.7.3.1.6.2.4.b.c.d.f.2.e.7.6.1.5.f.9.1.8.0.0.0.0.f.f.f.f.!.0.0.0.0.3.9.5.7.6.d.6.d.8.3.8.8.d.e.a.4.8.9.9.4.6.1.4.1.d.b.c.c.f.9.c.f.5.f.e.3.a.2.8.f.!.f.i.l.e...e.x.e.....T.a.r.g.e.t.A.p.p.V.e.r.=.2.0.2.4././.0.4././.1.7.:.0.9.:.4.4.:.4.4.!.0.!.f.i.l.e...e.x.e.....B.o.o.t.I.d.=.4.2.9.4.9.6.7.2.9.5.....S.e.r.v.i.c.e.

                                                                                                                                                                            C:\ProgramData\Microsoft\Windows\WER\ReportQueue\AppCrash_file.exe_4b4ed4d6f389ca52de2c98f49a78651fcbdf4a2_804fa867_1bea40c6-29f2-46a6-b131-6f75278ec17c\Report.wer

                                                                                                                                                                            Download File
                                                                                                                                                                            Process:C:\Windows\SysWOW64\WerFault.exe
                                                                                                                                                                            File Type:Unicode text, UTF-16, little-endian text, with CRLF line terminators
                                                                                                                                                                            Category:dropped
                                                                                                                                                                            Size (bytes):65536
                                                                                                                                                                            Entropy (8bit):1.0163392293919353
                                                                                                                                                                            Encrypted:false
                                                                                                                                                                            SSDEEP:192:SPTBL3BxvWPlk056rPI3jpSZrYTjzuiFAZ24IO8TVB:S17vWNf56rIj9zuiFAY4IO8X
                                                                                                                                                                            MD5:91D78F42A37111030F82DB3F26A3C02F
                                                                                                                                                                            SHA1:FD14272B4F0076F3FD98815073008FBEFE01238B
                                                                                                                                                                            SHA-256:5116FAA201D2780AEC2953E0CD63DAC1AF62016C38C51699F478E9496D825E54
                                                                                                                                                                            SHA-512:8BDF6A4096A0704FA28970D95AE67A51F2204C168DDBBCA197DE3C3CD45C45075BAAD689DC970712BB6781E36E9BF7558AF10AE047344795282DF2743F2BCFCA
                                                                                                                                                                            Malicious:false
                                                                                                                                                                            Preview:..V.e.r.s.i.o.n.=.1.....E.v.e.n.t.T.y.p.e.=.A.P.P.C.R.A.S.H.....E.v.e.n.t.T.i.m.e.=.1.3.3.5.7.9.0.2.5.6.1.9.1.4.1.9.8.9.....R.e.p.o.r.t.T.y.p.e.=.2.....C.o.n.s.e.n.t.=.1.....R.e.p.o.r.t.I.d.e.n.t.i.f.i.e.r.=.1.b.e.a.4.0.c.6.-.2.9.f.2.-.4.6.a.6.-.b.1.3.1.-.6.f.7.5.2.7.8.e.c.1.7.c.....I.n.t.e.g.r.a.t.o.r.R.e.p.o.r.t.I.d.e.n.t.i.f.i.e.r.=.1.7.0.6.e.5.a.f.-.5.c.3.e.-.4.3.c.5.-.b.3.4.c.-.7.a.8.b.3.c.3.5.7.d.7.9.....W.o.w.6.4.H.o.s.t.=.3.4.4.0.4.....W.o.w.6.4.G.u.e.s.t.=.3.3.2.....N.s.A.p.p.N.a.m.e.=.f.i.l.e...e.x.e.....A.p.p.S.e.s.s.i.o.n.G.u.i.d.=.0.0.0.0.1.c.a.0.-.0.0.0.1.-.0.0.1.4.-.3.e.d.0.-.f.3.7.2.6.a.9.1.d.a.0.1.....T.a.r.g.e.t.A.p.p.I.d.=.W.:.0.0.0.6.7.e.4.9.2.d.7.6.8.e.7.9.7.3.1.6.2.4.b.c.d.f.2.e.7.6.1.5.f.9.1.8.0.0.0.0.f.f.f.f.!.0.0.0.0.3.9.5.7.6.d.6.d.8.3.8.8.d.e.a.4.8.9.9.4.6.1.4.1.d.b.c.c.f.9.c.f.5.f.e.3.a.2.8.f.!.f.i.l.e...e.x.e.....T.a.r.g.e.t.A.p.p.V.e.r.=.2.0.2.4././.0.4././.1.7.:.0.9.:.4.4.:.4.4.!.0.!.f.i.l.e...e.x.e.....B.o.o.t.I.d.=.4.2.9.4.9.6.7.2.9.5.....S.e.r.v.i.c.e.

                                                                                                                                                                            C:\ProgramData\Microsoft\Windows\WER\ReportQueue\AppCrash_file.exe_4b4ed4d6f389ca52de2c98f49a78651fcbdf4a2_804fa867_7468fa83-67cd-459b-9cbc-4c12e81c893a\Report.wer

                                                                                                                                                                            Download File
                                                                                                                                                                            Process:C:\Windows\SysWOW64\WerFault.exe
                                                                                                                                                                            File Type:Unicode text, UTF-16, little-endian text, with CRLF line terminators
                                                                                                                                                                            Category:dropped
                                                                                                                                                                            Size (bytes):65536
                                                                                                                                                                            Entropy (8bit):1.029632107834421
                                                                                                                                                                            Encrypted:false
                                                                                                                                                                            SSDEEP:192:4Ke1BL3BxvPPlk056rPI3jpSZrYTndzuiFAZ24IO8TVB:rS7vPNf56rIj5dzuiFAY4IO8X
                                                                                                                                                                            MD5:BFBF249A7BC61449944E80951DD051D6
                                                                                                                                                                            SHA1:31EC8F4480B0163C94766C0B630FAE82CFC57005
                                                                                                                                                                            SHA-256:D5A22F7BA2AD2D458D6072E4D59884741803B61E772661545929982323460D52
                                                                                                                                                                            SHA-512:8EDC70537FE9CDE810D2A00917D83007D79CCF01406B9A4A140D2287FB78C5D57259FFF0152E251863E2852D43627B50C540DB1E7645C276A4FAD0C4BB507DE9
                                                                                                                                                                            Malicious:false
                                                                                                                                                                            Preview:..V.e.r.s.i.o.n.=.1.....E.v.e.n.t.T.y.p.e.=.A.P.P.C.R.A.S.H.....E.v.e.n.t.T.i.m.e.=.1.3.3.5.7.9.0.2.5.7.0.0.8.6.6.6.4.9.....R.e.p.o.r.t.T.y.p.e.=.2.....C.o.n.s.e.n.t.=.1.....R.e.p.o.r.t.I.d.e.n.t.i.f.i.e.r.=.7.4.6.8.f.a.8.3.-.6.7.c.d.-.4.5.9.b.-.9.c.b.c.-.4.c.1.2.e.8.1.c.8.9.3.a.....I.n.t.e.g.r.a.t.o.r.R.e.p.o.r.t.I.d.e.n.t.i.f.i.e.r.=.0.8.2.7.9.e.3.3.-.e.f.3.9.-.4.3.7.c.-.8.d.e.b.-.0.3.4.c.3.2.9.1.2.f.4.5.....W.o.w.6.4.H.o.s.t.=.3.4.4.0.4.....W.o.w.6.4.G.u.e.s.t.=.3.3.2.....N.s.A.p.p.N.a.m.e.=.f.i.l.e...e.x.e.....A.p.p.S.e.s.s.i.o.n.G.u.i.d.=.0.0.0.0.1.c.a.0.-.0.0.0.1.-.0.0.1.4.-.3.e.d.0.-.f.3.7.2.6.a.9.1.d.a.0.1.....T.a.r.g.e.t.A.p.p.I.d.=.W.:.0.0.0.6.7.e.4.9.2.d.7.6.8.e.7.9.7.3.1.6.2.4.b.c.d.f.2.e.7.6.1.5.f.9.1.8.0.0.0.0.f.f.f.f.!.0.0.0.0.3.9.5.7.6.d.6.d.8.3.8.8.d.e.a.4.8.9.9.4.6.1.4.1.d.b.c.c.f.9.c.f.5.f.e.3.a.2.8.f.!.f.i.l.e...e.x.e.....T.a.r.g.e.t.A.p.p.V.e.r.=.2.0.2.4././.0.4././.1.7.:.0.9.:.4.4.:.4.4.!.0.!.f.i.l.e...e.x.e.....B.o.o.t.I.d.=.4.2.9.4.9.6.7.2.9.5.....S.e.r.v.i.c.e.

                                                                                                                                                                            C:\ProgramData\Microsoft\Windows\WER\ReportQueue\AppCrash_file.exe_4b4ed4d6f389ca52de2c98f49a78651fcbdf4a2_804fa867_8b113e4e-2225-4b05-80d3-ff5f486a2ef9\Report.wer

                                                                                                                                                                            Download File
                                                                                                                                                                            Process:C:\Windows\SysWOW64\WerFault.exe
                                                                                                                                                                            File Type:Unicode text, UTF-16, little-endian text, with CRLF line terminators
                                                                                                                                                                            Category:dropped
                                                                                                                                                                            Size (bytes):65536
                                                                                                                                                                            Entropy (8bit):0.9426141417534122
                                                                                                                                                                            Encrypted:false
                                                                                                                                                                            SSDEEP:192:DLBL3BxvJPlk056rPI3jpSZrYKzuiFRZ24IO8TVB:R7vJNf56rIj4zuiFRY4IO8X
                                                                                                                                                                            MD5:64255BF364F99EE1B70AFB188DFEFD50
                                                                                                                                                                            SHA1:FF26F954D1E5D73EA04283145ADEA48A1C065FAC
                                                                                                                                                                            SHA-256:BC284E63AA7ACBAB801227BFE1C7AF7FF02FE3D9869104482904572D6707F34C
                                                                                                                                                                            SHA-512:EBCD129E695130C5D59780F5640FB5C130CFDF1AE2233CB5F76F3837C4BA8C30D17CAF577DBED703E381A0350B345923E0943EBAC402C8DDD0FE5936FCEC0527
                                                                                                                                                                            Malicious:false
                                                                                                                                                                            Preview:..V.e.r.s.i.o.n.=.1.....E.v.e.n.t.T.y.p.e.=.A.P.P.C.R.A.S.H.....E.v.e.n.t.T.i.m.e.=.1.3.3.5.7.9.0.2.5.5.4.4.0.2.5.1.5.8.....R.e.p.o.r.t.T.y.p.e.=.2.....C.o.n.s.e.n.t.=.1.....R.e.p.o.r.t.I.d.e.n.t.i.f.i.e.r.=.8.b.1.1.3.e.4.e.-.2.2.2.5.-.4.b.0.5.-.8.0.d.3.-.f.f.5.f.4.8.6.a.2.e.f.9.....I.n.t.e.g.r.a.t.o.r.R.e.p.o.r.t.I.d.e.n.t.i.f.i.e.r.=.1.e.f.4.a.9.7.6.-.4.4.6.3.-.4.9.9.8.-.a.9.b.a.-.5.a.5.9.a.3.8.8.2.e.d.a.....W.o.w.6.4.H.o.s.t.=.3.4.4.0.4.....W.o.w.6.4.G.u.e.s.t.=.3.3.2.....N.s.A.p.p.N.a.m.e.=.f.i.l.e...e.x.e.....A.p.p.S.e.s.s.i.o.n.G.u.i.d.=.0.0.0.0.1.c.a.0.-.0.0.0.1.-.0.0.1.4.-.3.e.d.0.-.f.3.7.2.6.a.9.1.d.a.0.1.....T.a.r.g.e.t.A.p.p.I.d.=.W.:.0.0.0.6.7.e.4.9.2.d.7.6.8.e.7.9.7.3.1.6.2.4.b.c.d.f.2.e.7.6.1.5.f.9.1.8.0.0.0.0.f.f.f.f.!.0.0.0.0.3.9.5.7.6.d.6.d.8.3.8.8.d.e.a.4.8.9.9.4.6.1.4.1.d.b.c.c.f.9.c.f.5.f.e.3.a.2.8.f.!.f.i.l.e...e.x.e.....T.a.r.g.e.t.A.p.p.V.e.r.=.2.0.2.4././.0.4././.1.7.:.0.9.:.4.4.:.4.4.!.0.!.f.i.l.e...e.x.e.....B.o.o.t.I.d.=.4.2.9.4.9.6.7.2.9.5.....S.e.r.v.i.c.e.

                                                                                                                                                                            C:\ProgramData\Microsoft\Windows\WER\ReportQueue\AppCrash_file.exe_4b4ed4d6f389ca52de2c98f49a78651fcbdf4a2_804fa867_aa9cc303-3ec6-47f1-8d50-17d31237829f\Report.wer

                                                                                                                                                                            Download File
                                                                                                                                                                            Process:C:\Windows\SysWOW64\WerFault.exe
                                                                                                                                                                            File Type:Unicode text, UTF-16, little-endian text, with CRLF line terminators
                                                                                                                                                                            Category:dropped
                                                                                                                                                                            Size (bytes):65536
                                                                                                                                                                            Entropy (8bit):0.9424061754882452
                                                                                                                                                                            Encrypted:false
                                                                                                                                                                            SSDEEP:192:LBL3BxvgPlk056rPI3jpSZrYKzuiFRZ24IO8TVB:17vgNf56rIj4zuiFRY4IO8X
                                                                                                                                                                            MD5:F419CA7CFB1ED7979B500B2BE8695FB6
                                                                                                                                                                            SHA1:55EB8474EB34C92D0D900B57B9B3CB2A828EB746
                                                                                                                                                                            SHA-256:E0A7D019F01D957514AD0994B68E112C46389C66022F95FAD50B43495DAB73B2
                                                                                                                                                                            SHA-512:720094E3C1F57BEE43044575CFC0ED6673789ECF70FA897939C670AF31AA934D6C5EB2F1363F999879A9DE88A5D8735E5E6CB84FF9C0B58F85C6496B37C96441
                                                                                                                                                                            Malicious:false
                                                                                                                                                                            Preview:..V.e.r.s.i.o.n.=.1.....E.v.e.n.t.T.y.p.e.=.A.P.P.C.R.A.S.H.....E.v.e.n.t.T.i.m.e.=.1.3.3.5.7.9.0.2.5.5.6.5.1.1.0.8.7.6.....R.e.p.o.r.t.T.y.p.e.=.2.....C.o.n.s.e.n.t.=.1.....R.e.p.o.r.t.I.d.e.n.t.i.f.i.e.r.=.a.a.9.c.c.3.0.3.-.3.e.c.6.-.4.7.f.1.-.8.d.5.0.-.1.7.d.3.1.2.3.7.8.2.9.f.....I.n.t.e.g.r.a.t.o.r.R.e.p.o.r.t.I.d.e.n.t.i.f.i.e.r.=.4.b.d.7.e.2.d.f.-.6.a.6.0.-.4.4.3.5.-.a.6.a.8.-.4.8.d.1.5.1.5.4.e.d.0.f.....W.o.w.6.4.H.o.s.t.=.3.4.4.0.4.....W.o.w.6.4.G.u.e.s.t.=.3.3.2.....N.s.A.p.p.N.a.m.e.=.f.i.l.e...e.x.e.....A.p.p.S.e.s.s.i.o.n.G.u.i.d.=.0.0.0.0.1.c.a.0.-.0.0.0.1.-.0.0.1.4.-.3.e.d.0.-.f.3.7.2.6.a.9.1.d.a.0.1.....T.a.r.g.e.t.A.p.p.I.d.=.W.:.0.0.0.6.7.e.4.9.2.d.7.6.8.e.7.9.7.3.1.6.2.4.b.c.d.f.2.e.7.6.1.5.f.9.1.8.0.0.0.0.f.f.f.f.!.0.0.0.0.3.9.5.7.6.d.6.d.8.3.8.8.d.e.a.4.8.9.9.4.6.1.4.1.d.b.c.c.f.9.c.f.5.f.e.3.a.2.8.f.!.f.i.l.e...e.x.e.....T.a.r.g.e.t.A.p.p.V.e.r.=.2.0.2.4././.0.4././.1.7.:.0.9.:.4.4.:.4.4.!.0.!.f.i.l.e...e.x.e.....B.o.o.t.I.d.=.4.2.9.4.9.6.7.2.9.5.....S.e.r.v.i.c.e.

                                                                                                                                                                            C:\ProgramData\Microsoft\Windows\WER\ReportQueue\AppCrash_file.exe_4b4ed4d6f389ca52de2c98f49a78651fcbdf4a2_804fa867_b150831a-ad0d-4b32-98f8-831394925195\Report.wer

                                                                                                                                                                            Download File
                                                                                                                                                                            Process:C:\Windows\SysWOW64\WerFault.exe
                                                                                                                                                                            File Type:Unicode text, UTF-16, little-endian text, with CRLF line terminators
                                                                                                                                                                            Category:dropped
                                                                                                                                                                            Size (bytes):65536
                                                                                                                                                                            Entropy (8bit):0.9898736830150473
                                                                                                                                                                            Encrypted:false
                                                                                                                                                                            SSDEEP:192:zBL3BxvEPlk056rPI3jpSZrYTBzuiFAZ24IO8TVB:97vENf56rIj/zuiFAY4IO8X
                                                                                                                                                                            MD5:F52A82D31E7B5E815EADD50DC22BF846
                                                                                                                                                                            SHA1:FFD8E182FCC0206FA0F70D934B5BF88B3566DDE9
                                                                                                                                                                            SHA-256:779F77D11ABE731EE97BAC7E8C5AA59D39759E8AE8EE077C53C581EE2643921F
                                                                                                                                                                            SHA-512:17E4EDDB7849C29FF7C49174B8440F0725667276B58B497B778ABF611EDA7B441482BB3E4EC8D0526B6DC4DBFBE1E5F265F06249A4A6CEE6D53E0DEBD29747CE
                                                                                                                                                                            Malicious:false
                                                                                                                                                                            Preview:..V.e.r.s.i.o.n.=.1.....E.v.e.n.t.T.y.p.e.=.A.P.P.C.R.A.S.H.....E.v.e.n.t.T.i.m.e.=.1.3.3.5.7.9.0.2.5.5.9.2.9.1.7.4.6.0.....R.e.p.o.r.t.T.y.p.e.=.2.....C.o.n.s.e.n.t.=.1.....R.e.p.o.r.t.I.d.e.n.t.i.f.i.e.r.=.b.1.5.0.8.3.1.a.-.a.d.0.d.-.4.b.3.2.-.9.8.f.8.-.8.3.1.3.9.4.9.2.5.1.9.5.....I.n.t.e.g.r.a.t.o.r.R.e.p.o.r.t.I.d.e.n.t.i.f.i.e.r.=.4.d.1.1.8.0.a.3.-.3.4.3.d.-.4.9.6.6.-.9.0.c.b.-.f.d.0.3.0.5.8.c.9.e.6.3.....W.o.w.6.4.H.o.s.t.=.3.4.4.0.4.....W.o.w.6.4.G.u.e.s.t.=.3.3.2.....N.s.A.p.p.N.a.m.e.=.f.i.l.e...e.x.e.....A.p.p.S.e.s.s.i.o.n.G.u.i.d.=.0.0.0.0.1.c.a.0.-.0.0.0.1.-.0.0.1.4.-.3.e.d.0.-.f.3.7.2.6.a.9.1.d.a.0.1.....T.a.r.g.e.t.A.p.p.I.d.=.W.:.0.0.0.6.7.e.4.9.2.d.7.6.8.e.7.9.7.3.1.6.2.4.b.c.d.f.2.e.7.6.1.5.f.9.1.8.0.0.0.0.f.f.f.f.!.0.0.0.0.3.9.5.7.6.d.6.d.8.3.8.8.d.e.a.4.8.9.9.4.6.1.4.1.d.b.c.c.f.9.c.f.5.f.e.3.a.2.8.f.!.f.i.l.e...e.x.e.....T.a.r.g.e.t.A.p.p.V.e.r.=.2.0.2.4././.0.4././.1.7.:.0.9.:.4.4.:.4.4.!.0.!.f.i.l.e...e.x.e.....B.o.o.t.I.d.=.4.2.9.4.9.6.7.2.9.5.....S.e.r.v.i.c.e.

                                                                                                                                                                            C:\ProgramData\Microsoft\Windows\WER\ReportQueue\AppCrash_file.exe_4b4ed4d6f389ca52de2c98f49a78651fcbdf4a2_804fa867_b8d96110-c9fb-424d-a33b-5f55f8d8ed4e\Report.wer

                                                                                                                                                                            Download File
                                                                                                                                                                            Process:C:\Windows\SysWOW64\WerFault.exe
                                                                                                                                                                            File Type:Unicode text, UTF-16, little-endian text, with CRLF line terminators
                                                                                                                                                                            Category:dropped
                                                                                                                                                                            Size (bytes):65536
                                                                                                                                                                            Entropy (8bit):1.0159657983771808
                                                                                                                                                                            Encrypted:false
                                                                                                                                                                            SSDEEP:192:tBL3BxvQPlk056rPI3jpSZrYTjzuiFAZ24IO8TVB:T7vQNf56rIj9zuiFAY4IO8X
                                                                                                                                                                            MD5:C18A21E90310B42E43745A50A12F8538
                                                                                                                                                                            SHA1:3F5CDBD5503278402C220FD7B587D9F23B2E762A
                                                                                                                                                                            SHA-256:9CBD70D15346F2C11110C263DE12641B83529F9EBED5BE9B0564FFC3802C5C77
                                                                                                                                                                            SHA-512:6F42D991097B81470EA5B8B8E6D841292AC2FE9EADBEE01F6C0C2731AB16B2234083EDC7AC83232744AC21941769A6C8C5B204EBB9990C6C7674E17CA1B64849
                                                                                                                                                                            Malicious:false
                                                                                                                                                                            Preview:..V.e.r.s.i.o.n.=.1.....E.v.e.n.t.T.y.p.e.=.A.P.P.C.R.A.S.H.....E.v.e.n.t.T.i.m.e.=.1.3.3.5.7.9.0.2.5.6.6.4.9.4.6.9.6.7.....R.e.p.o.r.t.T.y.p.e.=.2.....C.o.n.s.e.n.t.=.1.....R.e.p.o.r.t.I.d.e.n.t.i.f.i.e.r.=.b.8.d.9.6.1.1.0.-.c.9.f.b.-.4.2.4.d.-.a.3.3.b.-.5.f.5.5.f.8.d.8.e.d.4.e.....I.n.t.e.g.r.a.t.o.r.R.e.p.o.r.t.I.d.e.n.t.i.f.i.e.r.=.0.9.1.a.e.7.3.7.-.9.b.d.1.-.4.d.f.8.-.a.a.b.4.-.7.2.f.0.0.0.4.f.a.2.d.4.....W.o.w.6.4.H.o.s.t.=.3.4.4.0.4.....W.o.w.6.4.G.u.e.s.t.=.3.3.2.....N.s.A.p.p.N.a.m.e.=.f.i.l.e...e.x.e.....A.p.p.S.e.s.s.i.o.n.G.u.i.d.=.0.0.0.0.1.c.a.0.-.0.0.0.1.-.0.0.1.4.-.3.e.d.0.-.f.3.7.2.6.a.9.1.d.a.0.1.....T.a.r.g.e.t.A.p.p.I.d.=.W.:.0.0.0.6.7.e.4.9.2.d.7.6.8.e.7.9.7.3.1.6.2.4.b.c.d.f.2.e.7.6.1.5.f.9.1.8.0.0.0.0.f.f.f.f.!.0.0.0.0.3.9.5.7.6.d.6.d.8.3.8.8.d.e.a.4.8.9.9.4.6.1.4.1.d.b.c.c.f.9.c.f.5.f.e.3.a.2.8.f.!.f.i.l.e...e.x.e.....T.a.r.g.e.t.A.p.p.V.e.r.=.2.0.2.4././.0.4././.1.7.:.0.9.:.4.4.:.4.4.!.0.!.f.i.l.e...e.x.e.....B.o.o.t.I.d.=.4.2.9.4.9.6.7.2.9.5.....S.e.r.v.i.c.e.

                                                                                                                                                                            C:\ProgramData\Microsoft\Windows\WER\ReportQueue\AppCrash_file.exe_4b4ed4d6f389ca52de2c98f49a78651fcbdf4a2_804fa867_dc311b2a-bab5-4e6b-947c-da0882de2d5b\Report.wer

                                                                                                                                                                            Download File
                                                                                                                                                                            Process:C:\Windows\SysWOW64\WerFault.exe
                                                                                                                                                                            File Type:Unicode text, UTF-16, little-endian text, with CRLF line terminators
                                                                                                                                                                            Category:modified
                                                                                                                                                                            Size (bytes):65536
                                                                                                                                                                            Entropy (8bit):0.9223742280188229
                                                                                                                                                                            Encrypted:false
                                                                                                                                                                            SSDEEP:192:iRBL3BxvKPlk056rPI3jpSZrYPzuiFRZ24IO8TVB:C7vKNf56rIj9zuiFRY4IO8X
                                                                                                                                                                            MD5:006CE11C829700D6CB74425C1B952FB9
                                                                                                                                                                            SHA1:96FF7CCCEE5889E8C6E80078B8B25D5F5F4F5FC6
                                                                                                                                                                            SHA-256:3A61CF5DE987C3E7C7BE3A2165D6B1D9D18F68C61D47C48ADEBD24749DFC71E4
                                                                                                                                                                            SHA-512:527FAA8E6300E5A684FC992F264D81A143EB24D00E668352940D5DE64F9382D05B40756DC476DE5B9A0E93AE790B9736BC84F8D70FB7504593732CB062E3DBF3
                                                                                                                                                                            Malicious:false
                                                                                                                                                                            Preview:..V.e.r.s.i.o.n.=.1.....E.v.e.n.t.T.y.p.e.=.A.P.P.C.R.A.S.H.....E.v.e.n.t.T.i.m.e.=.1.3.3.5.7.9.0.2.5.5.3.2.3.5.2.5.7.5.....R.e.p.o.r.t.T.y.p.e.=.2.....C.o.n.s.e.n.t.=.1.....R.e.p.o.r.t.I.d.e.n.t.i.f.i.e.r.=.d.c.3.1.1.b.2.a.-.b.a.b.5.-.4.e.6.b.-.9.4.7.c.-.d.a.0.8.8.2.d.e.2.d.5.b.....I.n.t.e.g.r.a.t.o.r.R.e.p.o.r.t.I.d.e.n.t.i.f.i.e.r.=.6.5.4.8.a.e.4.6.-.6.2.0.e.-.4.e.8.b.-.a.a.d.0.-.f.f.7.3.3.4.d.b.6.d.5.f.....W.o.w.6.4.H.o.s.t.=.3.4.4.0.4.....W.o.w.6.4.G.u.e.s.t.=.3.3.2.....N.s.A.p.p.N.a.m.e.=.f.i.l.e...e.x.e.....A.p.p.S.e.s.s.i.o.n.G.u.i.d.=.0.0.0.0.1.c.a.0.-.0.0.0.1.-.0.0.1.4.-.3.e.d.0.-.f.3.7.2.6.a.9.1.d.a.0.1.....T.a.r.g.e.t.A.p.p.I.d.=.W.:.0.0.0.6.7.e.4.9.2.d.7.6.8.e.7.9.7.3.1.6.2.4.b.c.d.f.2.e.7.6.1.5.f.9.1.8.0.0.0.0.f.f.f.f.!.0.0.0.0.3.9.5.7.6.d.6.d.8.3.8.8.d.e.a.4.8.9.9.4.6.1.4.1.d.b.c.c.f.9.c.f.5.f.e.3.a.2.8.f.!.f.i.l.e...e.x.e.....T.a.r.g.e.t.A.p.p.V.e.r.=.2.0.2.4././.0.4././.1.7.:.0.9.:.4.4.:.4.4.!.0.!.f.i.l.e...e.x.e.....B.o.o.t.I.d.=.4.2.9.4.9.6.7.2.9.5.....S.e.r.v.i.c.e.

                                                                                                                                                                            C:\ProgramData\Microsoft\Windows\WER\ReportQueue\AppCrash_file.exe_4b4ed4d6f389ca52de2c98f49a78651fcbdf4a2_804fa867_e1758707-7d75-4927-bfcd-905886584b83\Report.wer

                                                                                                                                                                            Download File
                                                                                                                                                                            Process:C:\Windows\SysWOW64\WerFault.exe
                                                                                                                                                                            File Type:Unicode text, UTF-16, little-endian text, with CRLF line terminators
                                                                                                                                                                            Category:dropped
                                                                                                                                                                            Size (bytes):65536
                                                                                                                                                                            Entropy (8bit):0.9163424792575441
                                                                                                                                                                            Encrypted:false
                                                                                                                                                                            SSDEEP:192:TBL3BxvFPlk056rPI3jpSZrY9zuiFRZ24IO8TVB:d7vFNf56rIjvzuiFRY4IO8X
                                                                                                                                                                            MD5:69719C9590ECB0FCBD9879F622237C79
                                                                                                                                                                            SHA1:D38648310286E12CC9F32B4F8F791E361DD77818
                                                                                                                                                                            SHA-256:D4063F24D516C9602E242E983616F4E8DCCFF51A4E5DA55B2AC765B282DACBB0
                                                                                                                                                                            SHA-512:E513426D074AE8CC83C243D0319C8E1CD2AAED23E754B287B91A62E8868A2F368670CEDA0A732A4950F02C7B886F7759D96F523E709D5C4E8E549CAC2EE7A827
                                                                                                                                                                            Malicious:false
                                                                                                                                                                            Preview:..V.e.r.s.i.o.n.=.1.....E.v.e.n.t.T.y.p.e.=.A.P.P.C.R.A.S.H.....E.v.e.n.t.T.i.m.e.=.1.3.3.5.7.9.0.2.5.5.2.1.8.2.3.9.6.1.....R.e.p.o.r.t.T.y.p.e.=.2.....C.o.n.s.e.n.t.=.1.....R.e.p.o.r.t.I.d.e.n.t.i.f.i.e.r.=.e.1.7.5.8.7.0.7.-.7.d.7.5.-.4.9.2.7.-.b.f.c.d.-.9.0.5.8.8.6.5.8.4.b.8.3.....I.n.t.e.g.r.a.t.o.r.R.e.p.o.r.t.I.d.e.n.t.i.f.i.e.r.=.a.d.f.b.7.4.1.4.-.1.0.2.a.-.4.9.6.3.-.a.8.d.5.-.7.b.8.e.5.2.a.9.7.b.8.a.....W.o.w.6.4.H.o.s.t.=.3.4.4.0.4.....W.o.w.6.4.G.u.e.s.t.=.3.3.2.....N.s.A.p.p.N.a.m.e.=.f.i.l.e...e.x.e.....A.p.p.S.e.s.s.i.o.n.G.u.i.d.=.0.0.0.0.1.c.a.0.-.0.0.0.1.-.0.0.1.4.-.3.e.d.0.-.f.3.7.2.6.a.9.1.d.a.0.1.....T.a.r.g.e.t.A.p.p.I.d.=.W.:.0.0.0.6.7.e.4.9.2.d.7.6.8.e.7.9.7.3.1.6.2.4.b.c.d.f.2.e.7.6.1.5.f.9.1.8.0.0.0.0.f.f.f.f.!.0.0.0.0.3.9.5.7.6.d.6.d.8.3.8.8.d.e.a.4.8.9.9.4.6.1.4.1.d.b.c.c.f.9.c.f.5.f.e.3.a.2.8.f.!.f.i.l.e...e.x.e.....T.a.r.g.e.t.A.p.p.V.e.r.=.2.0.2.4././.0.4././.1.7.:.0.9.:.4.4.:.4.4.!.0.!.f.i.l.e...e.x.e.....B.o.o.t.I.d.=.4.2.9.4.9.6.7.2.9.5.....S.e.r.v.i.c.e.

                                                                                                                                                                            C:\ProgramData\Microsoft\Windows\WER\ReportQueue\AppCrash_file.exe_4b4ed4d6f389ca52de2c98f49a78651fcbdf4a2_804fa867_f5f9e377-8adc-4276-a920-6dab30daf607\Report.wer

                                                                                                                                                                            Download File
                                                                                                                                                                            Process:C:\Windows\SysWOW64\WerFault.exe
                                                                                                                                                                            File Type:Unicode text, UTF-16, little-endian text, with CRLF line terminators
                                                                                                                                                                            Category:dropped
                                                                                                                                                                            Size (bytes):65536
                                                                                                                                                                            Entropy (8bit):0.9023641805835356
                                                                                                                                                                            Encrypted:false
                                                                                                                                                                            SSDEEP:192:kBL3BxvaPlk056rPI3jpSZrY3zuiFRZ24IO8TVB:47vaNf56rIjVzuiFRY4IO8X
                                                                                                                                                                            MD5:09D69961BCEC33250191F486D1657539
                                                                                                                                                                            SHA1:8907C3FB6A396FC4011DE5873FBA1A8695AA65FB
                                                                                                                                                                            SHA-256:DB8AF5DE43BD991D74BCED902052E73222123611955BF5F3F57AC47E4D728608
                                                                                                                                                                            SHA-512:56713015A6D38DEF77BBE925803B839BAF25725FA2E644D0DED294EB6F7C76D14C69D8ECC8CAB90428F7BFEC0441C112C9981A51D6F26F00409AE15BE79FEECE
                                                                                                                                                                            Malicious:false
                                                                                                                                                                            Preview:..V.e.r.s.i.o.n.=.1.....E.v.e.n.t.T.y.p.e.=.A.P.P.C.R.A.S.H.....E.v.e.n.t.T.i.m.e.=.1.3.3.5.7.9.0.2.5.4.3.0.8.2.2.6.5.6.....R.e.p.o.r.t.T.y.p.e.=.2.....C.o.n.s.e.n.t.=.1.....R.e.p.o.r.t.I.d.e.n.t.i.f.i.e.r.=.f.5.f.9.e.3.7.7.-.8.a.d.c.-.4.2.7.6.-.a.9.2.0.-.6.d.a.b.3.0.d.a.f.6.0.7.....I.n.t.e.g.r.a.t.o.r.R.e.p.o.r.t.I.d.e.n.t.i.f.i.e.r.=.e.a.e.3.d.e.5.6.-.3.b.4.e.-.4.0.7.a.-.b.5.d.5.-.4.f.5.2.c.b.a.b.4.4.5.1.....W.o.w.6.4.H.o.s.t.=.3.4.4.0.4.....W.o.w.6.4.G.u.e.s.t.=.3.3.2.....N.s.A.p.p.N.a.m.e.=.f.i.l.e...e.x.e.....A.p.p.S.e.s.s.i.o.n.G.u.i.d.=.0.0.0.0.1.c.a.0.-.0.0.0.1.-.0.0.1.4.-.3.e.d.0.-.f.3.7.2.6.a.9.1.d.a.0.1.....T.a.r.g.e.t.A.p.p.I.d.=.W.:.0.0.0.6.7.e.4.9.2.d.7.6.8.e.7.9.7.3.1.6.2.4.b.c.d.f.2.e.7.6.1.5.f.9.1.8.0.0.0.0.f.f.f.f.!.0.0.0.0.3.9.5.7.6.d.6.d.8.3.8.8.d.e.a.4.8.9.9.4.6.1.4.1.d.b.c.c.f.9.c.f.5.f.e.3.a.2.8.f.!.f.i.l.e...e.x.e.....T.a.r.g.e.t.A.p.p.V.e.r.=.2.0.2.4././.0.4././.1.7.:.0.9.:.4.4.:.4.4.!.0.!.f.i.l.e...e.x.e.....B.o.o.t.I.d.=.4.2.9.4.9.6.7.2.9.5.....S.e.r.v.i.c.e.

                                                                                                                                                                            C:\ProgramData\Microsoft\Windows\WER\Temp\WER2DC0.tmp.dmp

                                                                                                                                                                            Download File
                                                                                                                                                                            Process:C:\Windows\SysWOW64\WerFault.exe
                                                                                                                                                                            File Type:Mini DuMP crash report, 15 streams, Thu Apr 18 08:29:12 2024, 0x1205a4 type
                                                                                                                                                                            Category:dropped
                                                                                                                                                                            Size (bytes):70816
                                                                                                                                                                            Entropy (8bit):2.292748778039401
                                                                                                                                                                            Encrypted:false
                                                                                                                                                                            SSDEEP:768:SyYyRoHNTvZNPaIVrCeP9q953C/QYaPA:iPBkurCes93jI
                                                                                                                                                                            MD5:61E93FB0770B18B70520FBDDE3DD2F1F
                                                                                                                                                                            SHA1:DDFA77FED1BD04BCCEC5E0D431ED36E8C153111B
                                                                                                                                                                            SHA-256:6E3DA551559F5BC5EB1EB6B68A0BEC53F30584582BAF4406EE9963191C56037C
                                                                                                                                                                            SHA-512:70F338B92A5968497F905095435C8F19FB836053ECA0C1EE236F72079E93BC742CA3398185C9B067CB8612CCE6F92BE08B1CC686AFEEF27250FB5CD190F085F5
                                                                                                                                                                            Malicious:false
                                                                                                                                                                            Preview:MDMP..a..... ......... f........................l...........<...t.......4....4..........`.......8...........T............&..........................................................................................................eJ......4.......GenuineIntel............T............. f.............................0..2...............W... .E.u.r.o.p.e. .S.t.a.n.d.a.r.d. .T.i.m.e.......................................W... .E.u.r.o.p.e. .S.u.m.m.e.r. .T.i.m.e...........................................1.9.0.4.1...1...a.m.d.6.4.f.r.e...v.b._.r.e.l.e.a.s.e...1.9.1.2.0.6.-.1.4.0.6.......................................................................................................................................................................................................................................................................................................................................................................................................................................

                                                                                                                                                                            C:\ProgramData\Microsoft\Windows\WER\Temp\WER2F09.tmp.WERInternalMetadata.xml

                                                                                                                                                                            Download File
                                                                                                                                                                            Process:C:\Windows\SysWOW64\WerFault.exe
                                                                                                                                                                            File Type:XML 1.0 document, Unicode text, UTF-16, little-endian text, with CRLF line terminators
                                                                                                                                                                            Category:dropped
                                                                                                                                                                            Size (bytes):8348
                                                                                                                                                                            Entropy (8bit):3.703772043506577
                                                                                                                                                                            Encrypted:false
                                                                                                                                                                            SSDEEP:192:R6l7wVeJKCyA6uFSum6Y9Y9SU91wLgmfBQiJpBZ89bj4mvsfthm:R6lXJj6Jum6YgSU91wLgmfiFjmfC
                                                                                                                                                                            MD5:7571C88BEECD61B491275997CE457AF8
                                                                                                                                                                            SHA1:99A074A6105C0EA7056741D0382BFCE6A285809D
                                                                                                                                                                            SHA-256:025EEF60D289B9C73102909161E64B252E2A8C4FEFFD78D4500BEACC33229C77
                                                                                                                                                                            SHA-512:AE04FC33C3878EE2A0AF37F6594DC27BE2EC664B63BEA662833F55E6E6F418AC3100D78C74C022EA660D815BAF8B3FD22CBD7F25418298ECBB27C26163F7EF0B
                                                                                                                                                                            Malicious:false
                                                                                                                                                                            Preview:..<.?.x.m.l. .v.e.r.s.i.o.n.=.".1...0.". .e.n.c.o.d.i.n.g.=.".U.T.F.-.1.6.".?.>.....<.W.E.R.R.e.p.o.r.t.M.e.t.a.d.a.t.a.>.......<.O.S.V.e.r.s.i.o.n.I.n.f.o.r.m.a.t.i.o.n.>.........<.W.i.n.d.o.w.s.N.T.V.e.r.s.i.o.n.>.1.0...0.<./.W.i.n.d.o.w.s.N.T.V.e.r.s.i.o.n.>.........<.B.u.i.l.d.>.1.9.0.4.5.<./.B.u.i.l.d.>.........<.P.r.o.d.u.c.t.>.(.0.x.3.0.).:. .W.i.n.d.o.w.s. .1.0. .P.r.o.<./.P.r.o.d.u.c.t.>.........<.E.d.i.t.i.o.n.>.P.r.o.f.e.s.s.i.o.n.a.l.<./.E.d.i.t.i.o.n.>.........<.B.u.i.l.d.S.t.r.i.n.g.>.1.9.0.4.1...2.0.0.6...a.m.d.6.4.f.r.e...v.b._.r.e.l.e.a.s.e...1.9.1.2.0.6.-.1.4.0.6.<./.B.u.i.l.d.S.t.r.i.n.g.>.........<.R.e.v.i.s.i.o.n.>.2.0.0.6.<./.R.e.v.i.s.i.o.n.>.........<.F.l.a.v.o.r.>.M.u.l.t.i.p.r.o.c.e.s.s.o.r. .F.r.e.e.<./.F.l.a.v.o.r.>.........<.A.r.c.h.i.t.e.c.t.u.r.e.>.X.6.4.<./.A.r.c.h.i.t.e.c.t.u.r.e.>.........<.L.C.I.D.>.2.0.5.7.<./.L.C.I.D.>.......<./.O.S.V.e.r.s.i.o.n.I.n.f.o.r.m.a.t.i.o.n.>.......<.P.r.o.c.e.s.s.I.n.f.o.r.m.a.t.i.o.n.>.........<.P.i.d.>.7.3.2.8.<./.P.i.

                                                                                                                                                                            C:\ProgramData\Microsoft\Windows\WER\Temp\WER2F58.tmp.xml

                                                                                                                                                                            Download File
                                                                                                                                                                            Process:C:\Windows\SysWOW64\WerFault.exe
                                                                                                                                                                            File Type:XML 1.0 document, ASCII text, with CRLF line terminators
                                                                                                                                                                            Category:dropped
                                                                                                                                                                            Size (bytes):4589
                                                                                                                                                                            Entropy (8bit):4.469784769700327
                                                                                                                                                                            Encrypted:false
                                                                                                                                                                            SSDEEP:48:cvIwWl8zsPJg77aI9XEWpW8VY4Ym8M4Jd4Fp+q8qoioBCodd:uIjfxI7dd7V4JeAnBCodd
                                                                                                                                                                            MD5:5548BF5C097005CC736C8A7A1B523F42
                                                                                                                                                                            SHA1:C25EC74CBE99C18D2DF0C1CFF9493D42A30B6B40
                                                                                                                                                                            SHA-256:0DDFF3AD34A46EB0B19904811B27A868A7238AB123120CDB4426907C2B2B4884
                                                                                                                                                                            SHA-512:ACC00CB88E33D03FF01CD7CD8286D07073B9E199ACC400709C0AAD2977C32EF0104D3B54D63F6B7AE7FEC4DCD64884B1CEDCEC95FD230300073FDF5CB53B137B
                                                                                                                                                                            Malicious:false
                                                                                                                                                                            Preview:<?xml version="1.0" encoding="UTF-8" standalone="yes"?>..<req ver="2">.. <tlm>.. <src>.. <desc>.. <mach>.. <os>.. <arg nm="vermaj" val="10" />.. <arg nm="vermin" val="0" />.. <arg nm="verbld" val="19045" />.. <arg nm="vercsdbld" val="2006" />.. <arg nm="verqfe" val="2006" />.. <arg nm="csdbld" val="2006" />.. <arg nm="versp" val="0" />.. <arg nm="arch" val="9" />.. <arg nm="lcid" val="2057" />.. <arg nm="geoid" val="223" />.. <arg nm="sku" val="48" />.. <arg nm="domain" val="0" />.. <arg nm="prodsuite" val="256" />.. <arg nm="ntprodtype" val="1" />.. <arg nm="platid" val="2" />.. <arg nm="tmsi" val="285091" />.. <arg nm="osinsty" val="1" />.. <arg nm="iever" val="11.789.19041.0-11.0.1000" />.. <arg nm="portos" val="0" />.. <arg nm="ram" val="409

                                                                                                                                                                            C:\ProgramData\Microsoft\Windows\WER\Temp\WER31B8.tmp.dmp

                                                                                                                                                                            Download File
                                                                                                                                                                            Process:C:\Windows\SysWOW64\WerFault.exe
                                                                                                                                                                            File Type:Mini DuMP crash report, 15 streams, Thu Apr 18 08:29:13 2024, 0x1205a4 type
                                                                                                                                                                            Category:dropped
                                                                                                                                                                            Size (bytes):77068
                                                                                                                                                                            Entropy (8bit):2.2439962115070395
                                                                                                                                                                            Encrypted:false
                                                                                                                                                                            SSDEEP:384:N452CTPPNTvyJz2sJi54apVrCeP9O9kaRN953C/QcJqCtEZafofz:iwINTvE2AapVrCeP9q953C/QKEuIz
                                                                                                                                                                            MD5:A374C48CDF280EE9B8A8F3BE1A75D4B8
                                                                                                                                                                            SHA1:24329BD370DA4258C65AB0D577398F001491E4AF
                                                                                                                                                                            SHA-256:BB62C189BBE651810C620AA2C02A97FD831B4BD1FFFC565C228CE31C0FB679A0
                                                                                                                                                                            SHA-512:AF7F0F1C8775C605060872A5FF24FFB4C62FE42474C1623DE29936F26B887E7D10700F8063D14B6ACF140CE4FC77058A2BAB081BDFE28DF04D815C9913080BF0
                                                                                                                                                                            Malicious:false
                                                                                                                                                                            Preview:MDMP..a..... ......... f............$...............8.......<................8..........`.......8...........T............&..<...........L...........8...............................................................................eJ..............GenuineIntel............T............. f.............................0..2...............W... .E.u.r.o.p.e. .S.t.a.n.d.a.r.d. .T.i.m.e.......................................W... .E.u.r.o.p.e. .S.u.m.m.e.r. .T.i.m.e...........................................1.9.0.4.1...1...a.m.d.6.4.f.r.e...v.b._.r.e.l.e.a.s.e...1.9.1.2.0.6.-.1.4.0.6.......................................................................................................................................................................................................................................................................................................................................................................................................................................

                                                                                                                                                                            C:\ProgramData\Microsoft\Windows\WER\Temp\WER32D2.tmp.WERInternalMetadata.xml

                                                                                                                                                                            Download File
                                                                                                                                                                            Process:C:\Windows\SysWOW64\WerFault.exe
                                                                                                                                                                            File Type:XML 1.0 document, Unicode text, UTF-16, little-endian text, with CRLF line terminators
                                                                                                                                                                            Category:dropped
                                                                                                                                                                            Size (bytes):8346
                                                                                                                                                                            Entropy (8bit):3.7027095455639136
                                                                                                                                                                            Encrypted:false
                                                                                                                                                                            SSDEEP:192:R6l7wVeJKCm6w6Y9aSUi1wLgmfBQiJpBG89ba4mvsfQ8em:R6lXJ46w6YgSUi1wLgmfi0amfB
                                                                                                                                                                            MD5:7FE2420712F3F8F25ACCCE6C80D7820D
                                                                                                                                                                            SHA1:EBB5C45BDE026EA98E356DE6486FBB371614AD78
                                                                                                                                                                            SHA-256:E99FD8CDB55C188B9EFCE559CD9EC7776B9F0BDADA68695370F2206FFFB9C4C2
                                                                                                                                                                            SHA-512:73076E8E0539EFADDBADF97F807F2398E38698F49C91CBD1369208E2C43E7CCC184DBC4310A491FC1FC984E26EEB55C29AF42DC7B5CB6E5996F22203BA8E1960
                                                                                                                                                                            Malicious:false
                                                                                                                                                                            Preview:..<.?.x.m.l. .v.e.r.s.i.o.n.=.".1...0.". .e.n.c.o.d.i.n.g.=.".U.T.F.-.1.6.".?.>.....<.W.E.R.R.e.p.o.r.t.M.e.t.a.d.a.t.a.>.......<.O.S.V.e.r.s.i.o.n.I.n.f.o.r.m.a.t.i.o.n.>.........<.W.i.n.d.o.w.s.N.T.V.e.r.s.i.o.n.>.1.0...0.<./.W.i.n.d.o.w.s.N.T.V.e.r.s.i.o.n.>.........<.B.u.i.l.d.>.1.9.0.4.5.<./.B.u.i.l.d.>.........<.P.r.o.d.u.c.t.>.(.0.x.3.0.).:. .W.i.n.d.o.w.s. .1.0. .P.r.o.<./.P.r.o.d.u.c.t.>.........<.E.d.i.t.i.o.n.>.P.r.o.f.e.s.s.i.o.n.a.l.<./.E.d.i.t.i.o.n.>.........<.B.u.i.l.d.S.t.r.i.n.g.>.1.9.0.4.1...2.0.0.6...a.m.d.6.4.f.r.e...v.b._.r.e.l.e.a.s.e...1.9.1.2.0.6.-.1.4.0.6.<./.B.u.i.l.d.S.t.r.i.n.g.>.........<.R.e.v.i.s.i.o.n.>.2.0.0.6.<./.R.e.v.i.s.i.o.n.>.........<.F.l.a.v.o.r.>.M.u.l.t.i.p.r.o.c.e.s.s.o.r. .F.r.e.e.<./.F.l.a.v.o.r.>.........<.A.r.c.h.i.t.e.c.t.u.r.e.>.X.6.4.<./.A.r.c.h.i.t.e.c.t.u.r.e.>.........<.L.C.I.D.>.2.0.5.7.<./.L.C.I.D.>.......<./.O.S.V.e.r.s.i.o.n.I.n.f.o.r.m.a.t.i.o.n.>.......<.P.r.o.c.e.s.s.I.n.f.o.r.m.a.t.i.o.n.>.........<.P.i.d.>.7.3.2.8.<./.P.i.

                                                                                                                                                                            C:\ProgramData\Microsoft\Windows\WER\Temp\WER3311.tmp.xml

                                                                                                                                                                            Download File
                                                                                                                                                                            Process:C:\Windows\SysWOW64\WerFault.exe
                                                                                                                                                                            File Type:XML 1.0 document, ASCII text, with CRLF line terminators
                                                                                                                                                                            Category:dropped
                                                                                                                                                                            Size (bytes):4589
                                                                                                                                                                            Entropy (8bit):4.470213805688719
                                                                                                                                                                            Encrypted:false
                                                                                                                                                                            SSDEEP:48:cvIwWl8zsPJg77aI9XEWpW8VYBYm8M4Jd4FNan+q8qoioBCodd:uIjfxI7dd7VpJIanAnBCodd
                                                                                                                                                                            MD5:014F15FA73A26196EBF2B5FC106CC405
                                                                                                                                                                            SHA1:9F92DF001880A9ED8C2A8F729D09903EA6831065
                                                                                                                                                                            SHA-256:B8E59F65AE8C75A28B39E685E57C6A3733CE2CE0C2348790CE150D2DF81F2990
                                                                                                                                                                            SHA-512:BB4F37174CA97270B03B3187A110F8352CF1C639A811B0A1DD2FA54187DB5E8CC7FEAFE7CC6CCFE7B9DACE4A61957761DF9028DB8F3D3F2E4FB261B682E6E13D
                                                                                                                                                                            Malicious:false
                                                                                                                                                                            Preview:<?xml version="1.0" encoding="UTF-8" standalone="yes"?>..<req ver="2">.. <tlm>.. <src>.. <desc>.. <mach>.. <os>.. <arg nm="vermaj" val="10" />.. <arg nm="vermin" val="0" />.. <arg nm="verbld" val="19045" />.. <arg nm="vercsdbld" val="2006" />.. <arg nm="verqfe" val="2006" />.. <arg nm="csdbld" val="2006" />.. <arg nm="versp" val="0" />.. <arg nm="arch" val="9" />.. <arg nm="lcid" val="2057" />.. <arg nm="geoid" val="223" />.. <arg nm="sku" val="48" />.. <arg nm="domain" val="0" />.. <arg nm="prodsuite" val="256" />.. <arg nm="ntprodtype" val="1" />.. <arg nm="platid" val="2" />.. <arg nm="tmsi" val="285091" />.. <arg nm="osinsty" val="1" />.. <arg nm="iever" val="11.789.19041.0-11.0.1000" />.. <arg nm="portos" val="0" />.. <arg nm="ram" val="409

                                                                                                                                                                            C:\ProgramData\Microsoft\Windows\WER\Temp\WER365B.tmp.dmp

                                                                                                                                                                            Download File
                                                                                                                                                                            Process:C:\Windows\SysWOW64\WerFault.exe
                                                                                                                                                                            File Type:Mini DuMP crash report, 15 streams, Thu Apr 18 08:29:14 2024, 0x1205a4 type
                                                                                                                                                                            Category:dropped
                                                                                                                                                                            Size (bytes):81882
                                                                                                                                                                            Entropy (8bit):2.1715138253464135
                                                                                                                                                                            Encrypted:false
                                                                                                                                                                            SSDEEP:384:WR0Tl/5NTvzk82szxfnvOVrCeP9OOkaRN953CzQMJ6yAM2ZB05zDue:PRhNTvp2iRmVrCeP9J953CzQTLZqke
                                                                                                                                                                            MD5:66609B678B35F4CC37746DC75555CEE5
                                                                                                                                                                            SHA1:CBB7608C94E29A15CC2AE186215CF1B1C52E22EC
                                                                                                                                                                            SHA-256:F1217EE1B663DF5D7EAAF9D07A3DE74BAB330B8A1B1DEAB7479FEEE50B7B7900
                                                                                                                                                                            SHA-512:9E356900B24AED934D11F529CB921AB7FABB153143365E2CC80DE03CC436C024506C17AD9AD6BD8B7C784487DE023FA152FF4F693001C65CD589813BEC713632
                                                                                                                                                                            Malicious:false
                                                                                                                                                                            Preview:MDMP..a..... ......... f............T...............h.......<................<..........`.......8...........T...........H'..........................................................................................................eJ......D ......GenuineIntel............T............. f.............................0..2...............W... .E.u.r.o.p.e. .S.t.a.n.d.a.r.d. .T.i.m.e.......................................W... .E.u.r.o.p.e. .S.u.m.m.e.r. .T.i.m.e...........................................1.9.0.4.1...1...a.m.d.6.4.f.r.e...v.b._.r.e.l.e.a.s.e...1.9.1.2.0.6.-.1.4.0.6.......................................................................................................................................................................................................................................................................................................................................................................................................................................

                                                                                                                                                                            C:\ProgramData\Microsoft\Windows\WER\Temp\WER3718.tmp.WERInternalMetadata.xml

                                                                                                                                                                            Download File
                                                                                                                                                                            Process:C:\Windows\SysWOW64\WerFault.exe
                                                                                                                                                                            File Type:XML 1.0 document, Unicode text, UTF-16, little-endian text, with CRLF line terminators
                                                                                                                                                                            Category:dropped
                                                                                                                                                                            Size (bytes):8346
                                                                                                                                                                            Entropy (8bit):3.7003689982870602
                                                                                                                                                                            Encrypted:false
                                                                                                                                                                            SSDEEP:192:R6l7wVeJKCD6kFCI6Y95SUsCwLgmfBQiJpBM89bV4mvsfgHAHm:R6lXJt6kFCI6YjSUsCwLgmfiiVmfw
                                                                                                                                                                            MD5:C6EF1B2DB046038ABED77CE3F45D9BC5
                                                                                                                                                                            SHA1:40E4A528866C309C0AD336D067579DF6F1D51AA7
                                                                                                                                                                            SHA-256:74DDAE374200CF32A48CA9DCDC2AEF3C8CB10D129DBB10F2B6BC9F0D5459B119
                                                                                                                                                                            SHA-512:695A6A6D8C40C55B2ABF27A107B4DA587B2926C705878B1236D8E4182D5FBE27F286693FAAE5F9ED6CE78DA88446FA13E7EA95AB6F99149F3EF7DF39F59FFA31
                                                                                                                                                                            Malicious:false
                                                                                                                                                                            Preview:..<.?.x.m.l. .v.e.r.s.i.o.n.=.".1...0.". .e.n.c.o.d.i.n.g.=.".U.T.F.-.1.6.".?.>.....<.W.E.R.R.e.p.o.r.t.M.e.t.a.d.a.t.a.>.......<.O.S.V.e.r.s.i.o.n.I.n.f.o.r.m.a.t.i.o.n.>.........<.W.i.n.d.o.w.s.N.T.V.e.r.s.i.o.n.>.1.0...0.<./.W.i.n.d.o.w.s.N.T.V.e.r.s.i.o.n.>.........<.B.u.i.l.d.>.1.9.0.4.5.<./.B.u.i.l.d.>.........<.P.r.o.d.u.c.t.>.(.0.x.3.0.).:. .W.i.n.d.o.w.s. .1.0. .P.r.o.<./.P.r.o.d.u.c.t.>.........<.E.d.i.t.i.o.n.>.P.r.o.f.e.s.s.i.o.n.a.l.<./.E.d.i.t.i.o.n.>.........<.B.u.i.l.d.S.t.r.i.n.g.>.1.9.0.4.1...2.0.0.6...a.m.d.6.4.f.r.e...v.b._.r.e.l.e.a.s.e...1.9.1.2.0.6.-.1.4.0.6.<./.B.u.i.l.d.S.t.r.i.n.g.>.........<.R.e.v.i.s.i.o.n.>.2.0.0.6.<./.R.e.v.i.s.i.o.n.>.........<.F.l.a.v.o.r.>.M.u.l.t.i.p.r.o.c.e.s.s.o.r. .F.r.e.e.<./.F.l.a.v.o.r.>.........<.A.r.c.h.i.t.e.c.t.u.r.e.>.X.6.4.<./.A.r.c.h.i.t.e.c.t.u.r.e.>.........<.L.C.I.D.>.2.0.5.7.<./.L.C.I.D.>.......<./.O.S.V.e.r.s.i.o.n.I.n.f.o.r.m.a.t.i.o.n.>.......<.P.r.o.c.e.s.s.I.n.f.o.r.m.a.t.i.o.n.>.........<.P.i.d.>.7.3.2.8.<./.P.i.

                                                                                                                                                                            C:\ProgramData\Microsoft\Windows\WER\Temp\WER3786.tmp.xml

                                                                                                                                                                            Download File
                                                                                                                                                                            Process:C:\Windows\SysWOW64\WerFault.exe
                                                                                                                                                                            File Type:XML 1.0 document, ASCII text, with CRLF line terminators
                                                                                                                                                                            Category:dropped
                                                                                                                                                                            Size (bytes):4589
                                                                                                                                                                            Entropy (8bit):4.469805755686946
                                                                                                                                                                            Encrypted:false
                                                                                                                                                                            SSDEEP:48:cvIwWl8zsPJg77aI9XEWpW8VYoYm8M4Jd4FezX+q8qoioBCodd:uIjfxI7dd7VAJlzXAnBCodd
                                                                                                                                                                            MD5:4C5187F6C166FC1A43422AFB11E28860
                                                                                                                                                                            SHA1:E2E259D820465E47FD73482AFDC235C6093E12C3
                                                                                                                                                                            SHA-256:17AA075FA08DA49BAFC572B932B32EFD4C3FD93AF4197FB9D6BBA2C4F606450E
                                                                                                                                                                            SHA-512:530ACC4DB8DEEE98AD86BE2BA236127FE2E71A26A2A0E264EE617A7E26BD72C6911AB84115EA6ABD13185DE6242B29A3E36CD5EB74F23CC7275F7DC9E6A618A9
                                                                                                                                                                            Malicious:false
                                                                                                                                                                            Preview:<?xml version="1.0" encoding="UTF-8" standalone="yes"?>..<req ver="2">.. <tlm>.. <src>.. <desc>.. <mach>.. <os>.. <arg nm="vermaj" val="10" />.. <arg nm="vermin" val="0" />.. <arg nm="verbld" val="19045" />.. <arg nm="vercsdbld" val="2006" />.. <arg nm="verqfe" val="2006" />.. <arg nm="csdbld" val="2006" />.. <arg nm="versp" val="0" />.. <arg nm="arch" val="9" />.. <arg nm="lcid" val="2057" />.. <arg nm="geoid" val="223" />.. <arg nm="sku" val="48" />.. <arg nm="domain" val="0" />.. <arg nm="prodsuite" val="256" />.. <arg nm="ntprodtype" val="1" />.. <arg nm="platid" val="2" />.. <arg nm="tmsi" val="285091" />.. <arg nm="osinsty" val="1" />.. <arg nm="iever" val="11.789.19041.0-11.0.1000" />.. <arg nm="portos" val="0" />.. <arg nm="ram" val="409

                                                                                                                                                                            C:\ProgramData\Microsoft\Windows\WER\Temp\WER3E98.tmp.dmp

                                                                                                                                                                            Download File
                                                                                                                                                                            Process:C:\Windows\SysWOW64\WerFault.exe
                                                                                                                                                                            File Type:Mini DuMP crash report, 15 streams, Thu Apr 18 08:29:16 2024, 0x1205a4 type
                                                                                                                                                                            Category:dropped
                                                                                                                                                                            Size (bytes):95528
                                                                                                                                                                            Entropy (8bit):2.2688885234692333
                                                                                                                                                                            Encrypted:false
                                                                                                                                                                            SSDEEP:384:sOD9QcpNTvNa3bxfKbsQ3A9hBQeP9OOkaRN9G3CnQmBsWtJ465bNJlCC2w3kv90Z:B5VNTvNUEH3mBQeP9J9G3CnQi7bzlHU
                                                                                                                                                                            MD5:BF12761469850F2E7FB55D2F09BF0978
                                                                                                                                                                            SHA1:020C0537B4D349F6A2AD6556D5F670C3F6346F29
                                                                                                                                                                            SHA-256:A385FB6F97CDF5687CD7146083326E713279A46FFFFFB905EE1834A81814B868
                                                                                                                                                                            SHA-512:2CDF0D20A05EB40FF285A4988D0C0E6407C216FF73183B66B7F2D26FB361E498BBD2357AD3B8A70DF5FBA95B32709BFD1AEFFF07F532C87DE6997246184ACBBE
                                                                                                                                                                            Malicious:false
                                                                                                                                                                            Preview:MDMP..a..... ......... f....................................<................?..........`.......8...........T...........8-...G......................................................................................................eJ......t ......GenuineIntel............T............. f.............................0..2...............W... .E.u.r.o.p.e. .S.t.a.n.d.a.r.d. .T.i.m.e.......................................W... .E.u.r.o.p.e. .S.u.m.m.e.r. .T.i.m.e...........................................1.9.0.4.1...1...a.m.d.6.4.f.r.e...v.b._.r.e.l.e.a.s.e...1.9.1.2.0.6.-.1.4.0.6.......................................................................................................................................................................................................................................................................................................................................................................................................................................

                                                                                                                                                                            C:\ProgramData\Microsoft\Windows\WER\Temp\WER4030.tmp.WERInternalMetadata.xml

                                                                                                                                                                            Download File
                                                                                                                                                                            Process:C:\Windows\SysWOW64\WerFault.exe
                                                                                                                                                                            File Type:XML 1.0 document, Unicode text, UTF-16, little-endian text, with CRLF line terminators
                                                                                                                                                                            Category:dropped
                                                                                                                                                                            Size (bytes):8346
                                                                                                                                                                            Entropy (8bit):3.701097911060971
                                                                                                                                                                            Encrypted:false
                                                                                                                                                                            SSDEEP:192:R6l7wVeJKC26+6Y9gSU2jgmfBQiJpB+89bH4mvsf0ytm:R6lXJI6+6YqSU2jgmfisHmfo
                                                                                                                                                                            MD5:F9112794B16CA1596B3606D16ABA16C2
                                                                                                                                                                            SHA1:F2C2A3DF4B14764B9F9E710101DCD1DE1D092631
                                                                                                                                                                            SHA-256:034C5B5804C623035A49876EE9B65DF12F5E201EF63FE1BADAB808D0A9AE1740
                                                                                                                                                                            SHA-512:B5315169CED0CC52ED0B7D7F360DACD1F90DBB771F46196DDEF9B2B2EFD0D22EC017330898935C64D1176007B70B7317E98424BE3A436E57FF3DD8CD98BDE961
                                                                                                                                                                            Malicious:false
                                                                                                                                                                            Preview:..<.?.x.m.l. .v.e.r.s.i.o.n.=.".1...0.". .e.n.c.o.d.i.n.g.=.".U.T.F.-.1.6.".?.>.....<.W.E.R.R.e.p.o.r.t.M.e.t.a.d.a.t.a.>.......<.O.S.V.e.r.s.i.o.n.I.n.f.o.r.m.a.t.i.o.n.>.........<.W.i.n.d.o.w.s.N.T.V.e.r.s.i.o.n.>.1.0...0.<./.W.i.n.d.o.w.s.N.T.V.e.r.s.i.o.n.>.........<.B.u.i.l.d.>.1.9.0.4.5.<./.B.u.i.l.d.>.........<.P.r.o.d.u.c.t.>.(.0.x.3.0.).:. .W.i.n.d.o.w.s. .1.0. .P.r.o.<./.P.r.o.d.u.c.t.>.........<.E.d.i.t.i.o.n.>.P.r.o.f.e.s.s.i.o.n.a.l.<./.E.d.i.t.i.o.n.>.........<.B.u.i.l.d.S.t.r.i.n.g.>.1.9.0.4.1...2.0.0.6...a.m.d.6.4.f.r.e...v.b._.r.e.l.e.a.s.e...1.9.1.2.0.6.-.1.4.0.6.<./.B.u.i.l.d.S.t.r.i.n.g.>.........<.R.e.v.i.s.i.o.n.>.2.0.0.6.<./.R.e.v.i.s.i.o.n.>.........<.F.l.a.v.o.r.>.M.u.l.t.i.p.r.o.c.e.s.s.o.r. .F.r.e.e.<./.F.l.a.v.o.r.>.........<.A.r.c.h.i.t.e.c.t.u.r.e.>.X.6.4.<./.A.r.c.h.i.t.e.c.t.u.r.e.>.........<.L.C.I.D.>.2.0.5.7.<./.L.C.I.D.>.......<./.O.S.V.e.r.s.i.o.n.I.n.f.o.r.m.a.t.i.o.n.>.......<.P.r.o.c.e.s.s.I.n.f.o.r.m.a.t.i.o.n.>.........<.P.i.d.>.7.3.2.8.<./.P.i.

                                                                                                                                                                            C:\ProgramData\Microsoft\Windows\WER\Temp\WER4060.tmp.xml

                                                                                                                                                                            Download File
                                                                                                                                                                            Process:C:\Windows\SysWOW64\WerFault.exe
                                                                                                                                                                            File Type:XML 1.0 document, ASCII text, with CRLF line terminators
                                                                                                                                                                            Category:dropped
                                                                                                                                                                            Size (bytes):4589
                                                                                                                                                                            Entropy (8bit):4.470348737632921
                                                                                                                                                                            Encrypted:false
                                                                                                                                                                            SSDEEP:48:cvIwWl8zsPJg77aI9XEWpW8VYMYm8M4Jd4FGc+q8qoioBCodd:uIjfxI7dd7VMJ7cAnBCodd
                                                                                                                                                                            MD5:7B8A3A90DECD8EB2B4258301E409D539
                                                                                                                                                                            SHA1:F6F0962F3048DF2FA93846B9BE91EFC36DA70354
                                                                                                                                                                            SHA-256:0C41901F1882EA166DC3957AEEEEDAF209351D687CB9D999A4915C1829136251
                                                                                                                                                                            SHA-512:6CCB5703AABD546EAE4B1E8FEA842D0FEB8653B4069DA5548FE605C6B725502285F04DEFF503C75794BD3E50A646CF3CDE83E784DEA69D5DB57D48F2B00DB421
                                                                                                                                                                            Malicious:false
                                                                                                                                                                            Preview:<?xml version="1.0" encoding="UTF-8" standalone="yes"?>..<req ver="2">.. <tlm>.. <src>.. <desc>.. <mach>.. <os>.. <arg nm="vermaj" val="10" />.. <arg nm="vermin" val="0" />.. <arg nm="verbld" val="19045" />.. <arg nm="vercsdbld" val="2006" />.. <arg nm="verqfe" val="2006" />.. <arg nm="csdbld" val="2006" />.. <arg nm="versp" val="0" />.. <arg nm="arch" val="9" />.. <arg nm="lcid" val="2057" />.. <arg nm="geoid" val="223" />.. <arg nm="sku" val="48" />.. <arg nm="domain" val="0" />.. <arg nm="prodsuite" val="256" />.. <arg nm="ntprodtype" val="1" />.. <arg nm="platid" val="2" />.. <arg nm="tmsi" val="285091" />.. <arg nm="osinsty" val="1" />.. <arg nm="iever" val="11.789.19041.0-11.0.1000" />.. <arg nm="portos" val="0" />.. <arg nm="ram" val="409

                                                                                                                                                                            C:\ProgramData\Microsoft\Windows\WER\Temp\WER4976.tmp.dmp

                                                                                                                                                                            Download File
                                                                                                                                                                            Process:C:\Windows\SysWOW64\WerFault.exe
                                                                                                                                                                            File Type:Mini DuMP crash report, 15 streams, Thu Apr 18 08:29:19 2024, 0x1205a4 type
                                                                                                                                                                            Category:dropped
                                                                                                                                                                            Size (bytes):106324
                                                                                                                                                                            Entropy (8bit):2.2529239071392464
                                                                                                                                                                            Encrypted:false
                                                                                                                                                                            SSDEEP:768:NyaENTvg6L66YPZrKwfBQem9J9H3CrQSDjQPL:s3p660ZrDBQe69xSDji
                                                                                                                                                                            MD5:F652FCC03D810B01DD2E61FEA7197EBE
                                                                                                                                                                            SHA1:C296B9D252AE087D7ACDB3901D5C7623B04C601B
                                                                                                                                                                            SHA-256:B971ABCF4390DA6B723506201C7181966E4AFF65584DA607A32BB0949A80B294
                                                                                                                                                                            SHA-512:E42390FED9BE2594A4020DD6226012A7009BB9375651B5143BB067CB4BF90B930455471C3B4AFE2AE5F4DAAF8BFC15EFEF8D5E6F45395D47876D854530EF097F
                                                                                                                                                                            Malicious:false
                                                                                                                                                                            Preview:MDMP..a..... ......... f....................................<.... ......t...ZF..........`.......8...........T............7...g...........!...........#..............................................................................eJ.......#......GenuineIntel............T............. f.............................0..2...............W... .E.u.r.o.p.e. .S.t.a.n.d.a.r.d. .T.i.m.e.......................................W... .E.u.r.o.p.e. .S.u.m.m.e.r. .T.i.m.e...........................................1.9.0.4.1...1...a.m.d.6.4.f.r.e...v.b._.r.e.l.e.a.s.e...1.9.1.2.0.6.-.1.4.0.6.......................................................................................................................................................................................................................................................................................................................................................................................................................................

                                                                                                                                                                            C:\ProgramData\Microsoft\Windows\WER\Temp\WER4AFD.tmp.WERInternalMetadata.xml

                                                                                                                                                                            Download File
                                                                                                                                                                            Process:C:\Windows\SysWOW64\WerFault.exe
                                                                                                                                                                            File Type:XML 1.0 document, Unicode text, UTF-16, little-endian text, with CRLF line terminators
                                                                                                                                                                            Category:dropped
                                                                                                                                                                            Size (bytes):8346
                                                                                                                                                                            Entropy (8bit):3.702024473544747
                                                                                                                                                                            Encrypted:false
                                                                                                                                                                            SSDEEP:192:R6l7wVeJKCD6g6Y9MSUbKgmfBQiJpBG89bw4mvsf+Qm:R6lXJN6g6Y2SUbKgmfi0wmfw
                                                                                                                                                                            MD5:3D906EABC67FFBD50D28D21ADF12547A
                                                                                                                                                                            SHA1:CB2DCB2737DC9D9A66FB3DA015D8683EC3FB0912
                                                                                                                                                                            SHA-256:1F598ED98C30925893ADC8D6A34830BD4DCA1DD4A5DF51B3928664C9BE0BECDF
                                                                                                                                                                            SHA-512:A419EB359C74114FAECAB4FF5E920618DC6C3F0D3776BB410C05C650374370F458439AF72B09587D17ADFE7DC471AB847D1DA1E412050DA6492C2ED286B0FE18
                                                                                                                                                                            Malicious:false
                                                                                                                                                                            Preview:..<.?.x.m.l. .v.e.r.s.i.o.n.=.".1...0.". .e.n.c.o.d.i.n.g.=.".U.T.F.-.1.6.".?.>.....<.W.E.R.R.e.p.o.r.t.M.e.t.a.d.a.t.a.>.......<.O.S.V.e.r.s.i.o.n.I.n.f.o.r.m.a.t.i.o.n.>.........<.W.i.n.d.o.w.s.N.T.V.e.r.s.i.o.n.>.1.0...0.<./.W.i.n.d.o.w.s.N.T.V.e.r.s.i.o.n.>.........<.B.u.i.l.d.>.1.9.0.4.5.<./.B.u.i.l.d.>.........<.P.r.o.d.u.c.t.>.(.0.x.3.0.).:. .W.i.n.d.o.w.s. .1.0. .P.r.o.<./.P.r.o.d.u.c.t.>.........<.E.d.i.t.i.o.n.>.P.r.o.f.e.s.s.i.o.n.a.l.<./.E.d.i.t.i.o.n.>.........<.B.u.i.l.d.S.t.r.i.n.g.>.1.9.0.4.1...2.0.0.6...a.m.d.6.4.f.r.e...v.b._.r.e.l.e.a.s.e...1.9.1.2.0.6.-.1.4.0.6.<./.B.u.i.l.d.S.t.r.i.n.g.>.........<.R.e.v.i.s.i.o.n.>.2.0.0.6.<./.R.e.v.i.s.i.o.n.>.........<.F.l.a.v.o.r.>.M.u.l.t.i.p.r.o.c.e.s.s.o.r. .F.r.e.e.<./.F.l.a.v.o.r.>.........<.A.r.c.h.i.t.e.c.t.u.r.e.>.X.6.4.<./.A.r.c.h.i.t.e.c.t.u.r.e.>.........<.L.C.I.D.>.2.0.5.7.<./.L.C.I.D.>.......<./.O.S.V.e.r.s.i.o.n.I.n.f.o.r.m.a.t.i.o.n.>.......<.P.r.o.c.e.s.s.I.n.f.o.r.m.a.t.i.o.n.>.........<.P.i.d.>.7.3.2.8.<./.P.i.

                                                                                                                                                                            C:\ProgramData\Microsoft\Windows\WER\Temp\WER4B4C.tmp.xml

                                                                                                                                                                            Download File
                                                                                                                                                                            Process:C:\Windows\SysWOW64\WerFault.exe
                                                                                                                                                                            File Type:XML 1.0 document, ASCII text, with CRLF line terminators
                                                                                                                                                                            Category:dropped
                                                                                                                                                                            Size (bytes):4589
                                                                                                                                                                            Entropy (8bit):4.470705289519032
                                                                                                                                                                            Encrypted:false
                                                                                                                                                                            SSDEEP:48:cvIwWl8zs6Jg77aI9XEWpW8VYpYm8M4Jd4F2d+q8qoioBCodd:uIjfII7dd7VpJrAnBCodd
                                                                                                                                                                            MD5:102A6050BB6DF43454B783E48F0C6597
                                                                                                                                                                            SHA1:7E9B24648A9B495E8F3E1E246D07F72B54342B3E
                                                                                                                                                                            SHA-256:A1805EF6B879747AC2B25801B0C2C3C6B5B09EDE414014DD3AD29BC24F851C86
                                                                                                                                                                            SHA-512:8464370AB7B0AAADA86A6073E4E2F302A46C26D760A63DBE5637220335EFCB3978F76BB2B1D82E9843AE143011C1EEC442C64D6596EF6BB118D8E6B6304F0E0E
                                                                                                                                                                            Malicious:false
                                                                                                                                                                            Preview:<?xml version="1.0" encoding="UTF-8" standalone="yes"?>..<req ver="2">.. <tlm>.. <src>.. <desc>.. <mach>.. <os>.. <arg nm="vermaj" val="10" />.. <arg nm="vermin" val="0" />.. <arg nm="verbld" val="19045" />.. <arg nm="vercsdbld" val="2006" />.. <arg nm="verqfe" val="2006" />.. <arg nm="csdbld" val="2006" />.. <arg nm="versp" val="0" />.. <arg nm="arch" val="9" />.. <arg nm="lcid" val="2057" />.. <arg nm="geoid" val="223" />.. <arg nm="sku" val="48" />.. <arg nm="domain" val="0" />.. <arg nm="prodsuite" val="256" />.. <arg nm="ntprodtype" val="1" />.. <arg nm="platid" val="2" />.. <arg nm="tmsi" val="285092" />.. <arg nm="osinsty" val="1" />.. <arg nm="iever" val="11.789.19041.0-11.0.1000" />.. <arg nm="portos" val="0" />.. <arg nm="ram" val="409

                                                                                                                                                                            C:\ProgramData\Microsoft\Windows\WER\Temp\WER53D6.tmp.dmp

                                                                                                                                                                            Download File
                                                                                                                                                                            Process:C:\Windows\SysWOW64\WerFault.exe
                                                                                                                                                                            File Type:Mini DuMP crash report, 15 streams, Thu Apr 18 08:29:22 2024, 0x1205a4 type
                                                                                                                                                                            Category:dropped
                                                                                                                                                                            Size (bytes):111782
                                                                                                                                                                            Entropy (8bit):2.122011895884375
                                                                                                                                                                            Encrypted:false
                                                                                                                                                                            SSDEEP:768:7dLtNTvFcoKCbgX9H3CfQAjW/kGD7BN1Z:7Ztc59lzTD/1Z
                                                                                                                                                                            MD5:25DA2774E88DA4FE845C8CE5840F5F69
                                                                                                                                                                            SHA1:A4AE70E50415399A74A7FAED719CF1E5CBA4DB14
                                                                                                                                                                            SHA-256:16C4903204A0A03FB3B61913A250D6AAC9F3F06D13109F0128B444978C114934
                                                                                                                                                                            SHA-512:F749D9C92FEBBD70075EBD98A49EEFE10D4914D0748B7CE52E50E9598C29313B4C405D9C23E26E52CBD52DC28917903FF29E47B7B8F98CB44BBA16A9DD54FAD7
                                                                                                                                                                            Malicious:false
                                                                                                                                                                            Preview:MDMP..a..... ......... f....................................<...."......$...tK..........`.......8...........T...........PG..Vm..........."...........$..............................................................................eJ......x%......GenuineIntel............T............. f.............................0..2...............W... .E.u.r.o.p.e. .S.t.a.n.d.a.r.d. .T.i.m.e.......................................W... .E.u.r.o.p.e. .S.u.m.m.e.r. .T.i.m.e...........................................1.9.0.4.1...1...a.m.d.6.4.f.r.e...v.b._.r.e.l.e.a.s.e...1.9.1.2.0.6.-.1.4.0.6.......................................................................................................................................................................................................................................................................................................................................................................................................................................

                                                                                                                                                                            C:\ProgramData\Microsoft\Windows\WER\Temp\WER56A6.tmp.WERInternalMetadata.xml

                                                                                                                                                                            Download File
                                                                                                                                                                            Process:C:\Windows\SysWOW64\WerFault.exe
                                                                                                                                                                            File Type:XML 1.0 document, Unicode text, UTF-16, little-endian text, with CRLF line terminators
                                                                                                                                                                            Category:dropped
                                                                                                                                                                            Size (bytes):8346
                                                                                                                                                                            Entropy (8bit):3.6989515829485855
                                                                                                                                                                            Encrypted:false
                                                                                                                                                                            SSDEEP:192:R6l7wVeJKCt6r/6Y9QSUmpgmfBQiJpBG89bw4mvsfIwm:R6lXJz6T6YKSUmpgmfiUwmfG
                                                                                                                                                                            MD5:C2ABB17B73721D0C3ED5BB0E07ED8478
                                                                                                                                                                            SHA1:0122D8AEAB4BCC6F051C9A23269D33CCFEA09CB1
                                                                                                                                                                            SHA-256:3FC0D9F0ACEDC108B0F19748A6D9D504F924E7100976EF95CA364621854D04EC
                                                                                                                                                                            SHA-512:493C19537966616D880E582688C46EEA7C5E1AEBC6B92EAE8AE4EC904841F0FD1C6966369621ED1963C936EBB536A3A08FE50C5AE32E57461A53EFF825E752DD
                                                                                                                                                                            Malicious:false
                                                                                                                                                                            Preview:..<.?.x.m.l. .v.e.r.s.i.o.n.=.".1...0.". .e.n.c.o.d.i.n.g.=.".U.T.F.-.1.6.".?.>.....<.W.E.R.R.e.p.o.r.t.M.e.t.a.d.a.t.a.>.......<.O.S.V.e.r.s.i.o.n.I.n.f.o.r.m.a.t.i.o.n.>.........<.W.i.n.d.o.w.s.N.T.V.e.r.s.i.o.n.>.1.0...0.<./.W.i.n.d.o.w.s.N.T.V.e.r.s.i.o.n.>.........<.B.u.i.l.d.>.1.9.0.4.5.<./.B.u.i.l.d.>.........<.P.r.o.d.u.c.t.>.(.0.x.3.0.).:. .W.i.n.d.o.w.s. .1.0. .P.r.o.<./.P.r.o.d.u.c.t.>.........<.E.d.i.t.i.o.n.>.P.r.o.f.e.s.s.i.o.n.a.l.<./.E.d.i.t.i.o.n.>.........<.B.u.i.l.d.S.t.r.i.n.g.>.1.9.0.4.1...2.0.0.6...a.m.d.6.4.f.r.e...v.b._.r.e.l.e.a.s.e...1.9.1.2.0.6.-.1.4.0.6.<./.B.u.i.l.d.S.t.r.i.n.g.>.........<.R.e.v.i.s.i.o.n.>.2.0.0.6.<./.R.e.v.i.s.i.o.n.>.........<.F.l.a.v.o.r.>.M.u.l.t.i.p.r.o.c.e.s.s.o.r. .F.r.e.e.<./.F.l.a.v.o.r.>.........<.A.r.c.h.i.t.e.c.t.u.r.e.>.X.6.4.<./.A.r.c.h.i.t.e.c.t.u.r.e.>.........<.L.C.I.D.>.2.0.5.7.<./.L.C.I.D.>.......<./.O.S.V.e.r.s.i.o.n.I.n.f.o.r.m.a.t.i.o.n.>.......<.P.r.o.c.e.s.s.I.n.f.o.r.m.a.t.i.o.n.>.........<.P.i.d.>.7.3.2.8.<./.P.i.

                                                                                                                                                                            C:\ProgramData\Microsoft\Windows\WER\Temp\WER56D6.tmp.xml

                                                                                                                                                                            Download File
                                                                                                                                                                            Process:C:\Windows\SysWOW64\WerFault.exe
                                                                                                                                                                            File Type:XML 1.0 document, ASCII text, with CRLF line terminators
                                                                                                                                                                            Category:dropped
                                                                                                                                                                            Size (bytes):4589
                                                                                                                                                                            Entropy (8bit):4.472119730397404
                                                                                                                                                                            Encrypted:false
                                                                                                                                                                            SSDEEP:48:cvIwWl8zs6Jg77aI9XEWpW8VY4Ym8M4Jd4FhU+q8qoioBCodd:uIjfII7dd7VoJpAnBCodd
                                                                                                                                                                            MD5:1542584062468556F20907D544BAB77E
                                                                                                                                                                            SHA1:DFEA0DB5BB1747BF8F637CF50CD4CE5560C6181F
                                                                                                                                                                            SHA-256:9D11FE6B272AC4F1F32AFF1C34E1C159A7A6604F7010CD8BEBCD4B952287C3EE
                                                                                                                                                                            SHA-512:DF466661BDCF46101C54C156E3F70A92A084FD5336AF231E6407B72E40C796BE247E349C0859335F17E3F08D03B13F732F3050C6BFDE5E85FB90C24B4E60770E
                                                                                                                                                                            Malicious:false
                                                                                                                                                                            Preview:<?xml version="1.0" encoding="UTF-8" standalone="yes"?>..<req ver="2">.. <tlm>.. <src>.. <desc>.. <mach>.. <os>.. <arg nm="vermaj" val="10" />.. <arg nm="vermin" val="0" />.. <arg nm="verbld" val="19045" />.. <arg nm="vercsdbld" val="2006" />.. <arg nm="verqfe" val="2006" />.. <arg nm="csdbld" val="2006" />.. <arg nm="versp" val="0" />.. <arg nm="arch" val="9" />.. <arg nm="lcid" val="2057" />.. <arg nm="geoid" val="223" />.. <arg nm="sku" val="48" />.. <arg nm="domain" val="0" />.. <arg nm="prodsuite" val="256" />.. <arg nm="ntprodtype" val="1" />.. <arg nm="platid" val="2" />.. <arg nm="tmsi" val="285092" />.. <arg nm="osinsty" val="1" />.. <arg nm="iever" val="11.789.19041.0-11.0.1000" />.. <arg nm="portos" val="0" />.. <arg nm="ram" val="409

                                                                                                                                                                            C:\ProgramData\Microsoft\Windows\WER\Temp\WER65D7.tmp.dmp

                                                                                                                                                                            Download File
                                                                                                                                                                            Process:C:\Windows\SysWOW64\WerFault.exe
                                                                                                                                                                            File Type:Mini DuMP crash report, 15 streams, Thu Apr 18 08:29:27 2024, 0x1205a4 type
                                                                                                                                                                            Category:dropped
                                                                                                                                                                            Size (bytes):123754
                                                                                                                                                                            Entropy (8bit):2.0349062096176014
                                                                                                                                                                            Encrypted:false
                                                                                                                                                                            SSDEEP:768:fmOPCaNTv2WCBpXCHOCX9H3CfQKaYNBGm5S+bmu:fxPduXBEu+9lDYnGm59bH
                                                                                                                                                                            MD5:DF94E01EF3921F90C6F9D8845BDDB89B
                                                                                                                                                                            SHA1:B85271E70E115EFA20E063A32C09D13C39B05B1F
                                                                                                                                                                            SHA-256:4D84393C9EC5484F22B0081095B2252993614873905140D2B21AF27C9F6B57F1
                                                                                                                                                                            SHA-512:663C47EFD2AB695C036E83DD545F69C720D9B3D9EEE96EF3DCD7A1FCDD9CBB8846D397D23432940E0FB368EDDBEECF3FCF97D15B6A405D2FCA2211A62BE514FF
                                                                                                                                                                            Malicious:false
                                                                                                                                                                            Preview:MDMP..a..... ......... f............D...............X.......<....#..........lQ..........`.......8...........T............G.............T#..........@%..............................................................................eJ.......%......GenuineIntel............T............. f.............................0..2...............W... .E.u.r.o.p.e. .S.t.a.n.d.a.r.d. .T.i.m.e.......................................W... .E.u.r.o.p.e. .S.u.m.m.e.r. .T.i.m.e...........................................1.9.0.4.1...1...a.m.d.6.4.f.r.e...v.b._.r.e.l.e.a.s.e...1.9.1.2.0.6.-.1.4.0.6.......................................................................................................................................................................................................................................................................................................................................................................................................................................

                                                                                                                                                                            C:\ProgramData\Microsoft\Windows\WER\Temp\WER6C70.tmp.WERInternalMetadata.xml

                                                                                                                                                                            Download File
                                                                                                                                                                            Process:C:\Windows\SysWOW64\WerFault.exe
                                                                                                                                                                            File Type:XML 1.0 document, Unicode text, UTF-16, little-endian text, with CRLF line terminators
                                                                                                                                                                            Category:dropped
                                                                                                                                                                            Size (bytes):8346
                                                                                                                                                                            Entropy (8bit):3.701731721568259
                                                                                                                                                                            Encrypted:false
                                                                                                                                                                            SSDEEP:192:R6l7wVeJKC16aQEb6Y9qSUi4gmfBQiJpBw89ba4mvsfG+m:R6lXJ76aQEb6YASUi4gmfi2amfW
                                                                                                                                                                            MD5:C17C46D5214EB9496B38BFE8B378DF2C
                                                                                                                                                                            SHA1:055CBE2F8002FA50AE6364631A114CBE8FF27FCE
                                                                                                                                                                            SHA-256:66F791747D47797F4AE3D03F1123BF4FD9ABAB74DA788DA5300488CF4E1F72AB
                                                                                                                                                                            SHA-512:411D1B0A49534D3AC269C9E779C97D96BB30C0649E5EA285578A40200E1671C8D250E3837518C1B3C67CAB929212B0539B29ED8F4E62560F43364C9289182AE2
                                                                                                                                                                            Malicious:false
                                                                                                                                                                            Preview:..<.?.x.m.l. .v.e.r.s.i.o.n.=.".1...0.". .e.n.c.o.d.i.n.g.=.".U.T.F.-.1.6.".?.>.....<.W.E.R.R.e.p.o.r.t.M.e.t.a.d.a.t.a.>.......<.O.S.V.e.r.s.i.o.n.I.n.f.o.r.m.a.t.i.o.n.>.........<.W.i.n.d.o.w.s.N.T.V.e.r.s.i.o.n.>.1.0...0.<./.W.i.n.d.o.w.s.N.T.V.e.r.s.i.o.n.>.........<.B.u.i.l.d.>.1.9.0.4.5.<./.B.u.i.l.d.>.........<.P.r.o.d.u.c.t.>.(.0.x.3.0.).:. .W.i.n.d.o.w.s. .1.0. .P.r.o.<./.P.r.o.d.u.c.t.>.........<.E.d.i.t.i.o.n.>.P.r.o.f.e.s.s.i.o.n.a.l.<./.E.d.i.t.i.o.n.>.........<.B.u.i.l.d.S.t.r.i.n.g.>.1.9.0.4.1...2.0.0.6...a.m.d.6.4.f.r.e...v.b._.r.e.l.e.a.s.e...1.9.1.2.0.6.-.1.4.0.6.<./.B.u.i.l.d.S.t.r.i.n.g.>.........<.R.e.v.i.s.i.o.n.>.2.0.0.6.<./.R.e.v.i.s.i.o.n.>.........<.F.l.a.v.o.r.>.M.u.l.t.i.p.r.o.c.e.s.s.o.r. .F.r.e.e.<./.F.l.a.v.o.r.>.........<.A.r.c.h.i.t.e.c.t.u.r.e.>.X.6.4.<./.A.r.c.h.i.t.e.c.t.u.r.e.>.........<.L.C.I.D.>.2.0.5.7.<./.L.C.I.D.>.......<./.O.S.V.e.r.s.i.o.n.I.n.f.o.r.m.a.t.i.o.n.>.......<.P.r.o.c.e.s.s.I.n.f.o.r.m.a.t.i.o.n.>.........<.P.i.d.>.7.3.2.8.<./.P.i.

                                                                                                                                                                            C:\ProgramData\Microsoft\Windows\WER\Temp\WER6CBF.tmp.xml

                                                                                                                                                                            Download File
                                                                                                                                                                            Process:C:\Windows\SysWOW64\WerFault.exe
                                                                                                                                                                            File Type:XML 1.0 document, ASCII text, with CRLF line terminators
                                                                                                                                                                            Category:dropped
                                                                                                                                                                            Size (bytes):4589
                                                                                                                                                                            Entropy (8bit):4.468356451010496
                                                                                                                                                                            Encrypted:false
                                                                                                                                                                            SSDEEP:48:cvIwWl8zs6Jg77aI9XEWpW8VYtYm8M4Jd4Fa+q8qoioBCodd:uIjfII7dd7VpJ9AnBCodd
                                                                                                                                                                            MD5:E871ABB7747BB79BE34481F822D2548D
                                                                                                                                                                            SHA1:78D04F490E2557F508CA7DDE924F96237AFBBD2E
                                                                                                                                                                            SHA-256:F666A963C9055BF3E7E784E5BC184A358484402377D45CE3419E10EFB89DACE7
                                                                                                                                                                            SHA-512:7777FF8AD4E0ADAE0A984BB74ACA0017D699E991B6E0A5CA937C3AF1785CB1EE45B574FB8B6400D7488489807F19F8C758A2B6AE412F318D114B9B943CC363FC
                                                                                                                                                                            Malicious:false
                                                                                                                                                                            Preview:<?xml version="1.0" encoding="UTF-8" standalone="yes"?>..<req ver="2">.. <tlm>.. <src>.. <desc>.. <mach>.. <os>.. <arg nm="vermaj" val="10" />.. <arg nm="vermin" val="0" />.. <arg nm="verbld" val="19045" />.. <arg nm="vercsdbld" val="2006" />.. <arg nm="verqfe" val="2006" />.. <arg nm="csdbld" val="2006" />.. <arg nm="versp" val="0" />.. <arg nm="arch" val="9" />.. <arg nm="lcid" val="2057" />.. <arg nm="geoid" val="223" />.. <arg nm="sku" val="48" />.. <arg nm="domain" val="0" />.. <arg nm="prodsuite" val="256" />.. <arg nm="ntprodtype" val="1" />.. <arg nm="platid" val="2" />.. <arg nm="tmsi" val="285092" />.. <arg nm="osinsty" val="1" />.. <arg nm="iever" val="11.789.19041.0-11.0.1000" />.. <arg nm="portos" val="0" />.. <arg nm="ram" val="409

                                                                                                                                                                            C:\ProgramData\Microsoft\Windows\WER\Temp\WER6EFF.tmp.dmp

                                                                                                                                                                            Download File
                                                                                                                                                                            Process:C:\Windows\SysWOW64\WerFault.exe
                                                                                                                                                                            File Type:Mini DuMP crash report, 15 streams, Thu Apr 18 08:29:29 2024, 0x1205a4 type
                                                                                                                                                                            Category:dropped
                                                                                                                                                                            Size (bytes):58054
                                                                                                                                                                            Entropy (8bit):2.2300536080721054
                                                                                                                                                                            Encrypted:false
                                                                                                                                                                            SSDEEP:384:zNKa7sNTv9n0kdsqmtb3D65k9f93C1H/nMAQ6B:8gsNTvqmdGZ93C1HvQ6
                                                                                                                                                                            MD5:13740BCDB4FEF4A1D8FB10866B1FCFD6
                                                                                                                                                                            SHA1:10683D1304B58ADDDE502C6F3BB3248566E00210
                                                                                                                                                                            SHA-256:60E66B08E47D4B8A0B6E2E2610993FA23EAFD5298D710D46C1E60D16BE6AB781
                                                                                                                                                                            SHA-512:EAFC49EBA45B6AF2BCD3416CD5F614523B5B3956E103ED16AA006423D23149DF56C7165CD1020F6ADF50124A27BE7092171DBD142ACA4F7F1F9A6B62A73BD23B
                                                                                                                                                                            Malicious:false
                                                                                                                                                                            Preview:MDMP..a..... ......... f........................(...........$...........t..../..........`.......8...........T............ ..6...........$...........................................................................................eJ..............GenuineIntel............T.......4..... f............................. ..2...............W... .E.u.r.o.p.e. .S.t.a.n.d.a.r.d. .T.i.m.e.......................................W... .E.u.r.o.p.e. .S.u.m.m.e.r. .T.i.m.e...........................................1.9.0.4.1...1...a.m.d.6.4.f.r.e...v.b._.r.e.l.e.a.s.e...1.9.1.2.0.6.-.1.4.0.6.......................................................................................................................................................................................................................................................................................................................................................................................................................................

                                                                                                                                                                            C:\ProgramData\Microsoft\Windows\WER\Temp\WER7058.tmp.WERInternalMetadata.xml

                                                                                                                                                                            Download File
                                                                                                                                                                            Process:C:\Windows\SysWOW64\WerFault.exe
                                                                                                                                                                            File Type:XML 1.0 document, Unicode text, UTF-16, little-endian text, with CRLF line terminators
                                                                                                                                                                            Category:dropped
                                                                                                                                                                            Size (bytes):8372
                                                                                                                                                                            Entropy (8bit):3.702292877829732
                                                                                                                                                                            Encrypted:false
                                                                                                                                                                            SSDEEP:192:R6l7wVeJIr6I6Y9PSUU4gmfViJpBm89bjusffBm:R6lXJs6I6YVSUU4gmfVcjtfE
                                                                                                                                                                            MD5:91195A56A96C00D2B133C1C4ABC88666
                                                                                                                                                                            SHA1:6DBA1CB61D8C29D8B77D611DB46D07F5BE91BBA4
                                                                                                                                                                            SHA-256:FED38E2BBDDF72E816B198EB1A6029CB556C7A0B3A6125724D054D24430AB0D4
                                                                                                                                                                            SHA-512:00F03AD0DE9477F34BCBD3E87C929E8E76D0B166D1B8A2901016A3C8A52E87D0DA33EFE0182E1C79DD4E0940E260AADE1830FA81F19938054B5F9C3B0C0D707E
                                                                                                                                                                            Malicious:false
                                                                                                                                                                            Preview:..<.?.x.m.l. .v.e.r.s.i.o.n.=.".1...0.". .e.n.c.o.d.i.n.g.=.".U.T.F.-.1.6.".?.>.....<.W.E.R.R.e.p.o.r.t.M.e.t.a.d.a.t.a.>.......<.O.S.V.e.r.s.i.o.n.I.n.f.o.r.m.a.t.i.o.n.>.........<.W.i.n.d.o.w.s.N.T.V.e.r.s.i.o.n.>.1.0...0.<./.W.i.n.d.o.w.s.N.T.V.e.r.s.i.o.n.>.........<.B.u.i.l.d.>.1.9.0.4.5.<./.B.u.i.l.d.>.........<.P.r.o.d.u.c.t.>.(.0.x.3.0.).:. .W.i.n.d.o.w.s. .1.0. .P.r.o.<./.P.r.o.d.u.c.t.>.........<.E.d.i.t.i.o.n.>.P.r.o.f.e.s.s.i.o.n.a.l.<./.E.d.i.t.i.o.n.>.........<.B.u.i.l.d.S.t.r.i.n.g.>.1.9.0.4.1...2.0.0.6...a.m.d.6.4.f.r.e...v.b._.r.e.l.e.a.s.e...1.9.1.2.0.6.-.1.4.0.6.<./.B.u.i.l.d.S.t.r.i.n.g.>.........<.R.e.v.i.s.i.o.n.>.2.0.0.6.<./.R.e.v.i.s.i.o.n.>.........<.F.l.a.v.o.r.>.M.u.l.t.i.p.r.o.c.e.s.s.o.r. .F.r.e.e.<./.F.l.a.v.o.r.>.........<.A.r.c.h.i.t.e.c.t.u.r.e.>.X.6.4.<./.A.r.c.h.i.t.e.c.t.u.r.e.>.........<.L.C.I.D.>.2.0.5.7.<./.L.C.I.D.>.......<./.O.S.V.e.r.s.i.o.n.I.n.f.o.r.m.a.t.i.o.n.>.......<.P.r.o.c.e.s.s.I.n.f.o.r.m.a.t.i.o.n.>.........<.P.i.d.>.7.9.8.8.<./.P.i.

                                                                                                                                                                            C:\ProgramData\Microsoft\Windows\WER\Temp\WER70C6.tmp.xml

                                                                                                                                                                            Download File
                                                                                                                                                                            Process:C:\Windows\SysWOW64\WerFault.exe
                                                                                                                                                                            File Type:XML 1.0 document, ASCII text, with CRLF line terminators
                                                                                                                                                                            Category:dropped
                                                                                                                                                                            Size (bytes):4614
                                                                                                                                                                            Entropy (8bit):4.489547900384475
                                                                                                                                                                            Encrypted:false
                                                                                                                                                                            SSDEEP:48:cvIwWl8zs6Jg77aI9XEWpW8VYSYm8M4J/4Fh/R+q87VGoTLBCPKd:uIjfII7dd7VyJIJ6GoTFCPKd
                                                                                                                                                                            MD5:0FB8C0D4AAD80BDF0AC8240CDA3819C4
                                                                                                                                                                            SHA1:849A84F8A2F052B3C486365B2F7A2771D967D151
                                                                                                                                                                            SHA-256:225206FB6F43E13A449A1AA9867F9E8913895CE9D1064A2E381374E388DE4DA3
                                                                                                                                                                            SHA-512:7420356DF5FCD0A1A4E34EE3A27585B0E478667780089EF68BCB4A39EE31CE971E9D9DBA3BADC61459D9EAFD9E2DBE7D35D7483D551EA77EEFF5B4FA1046CC97
                                                                                                                                                                            Malicious:false
                                                                                                                                                                            Preview:<?xml version="1.0" encoding="UTF-8" standalone="yes"?>..<req ver="2">.. <tlm>.. <src>.. <desc>.. <mach>.. <os>.. <arg nm="vermaj" val="10" />.. <arg nm="vermin" val="0" />.. <arg nm="verbld" val="19045" />.. <arg nm="vercsdbld" val="2006" />.. <arg nm="verqfe" val="2006" />.. <arg nm="csdbld" val="2006" />.. <arg nm="versp" val="0" />.. <arg nm="arch" val="9" />.. <arg nm="lcid" val="2057" />.. <arg nm="geoid" val="223" />.. <arg nm="sku" val="48" />.. <arg nm="domain" val="0" />.. <arg nm="prodsuite" val="256" />.. <arg nm="ntprodtype" val="1" />.. <arg nm="platid" val="2" />.. <arg nm="tmsi" val="285092" />.. <arg nm="osinsty" val="1" />.. <arg nm="iever" val="11.789.19041.0-11.0.1000" />.. <arg nm="portos" val="0" />.. <arg nm="ram" val="409

                                                                                                                                                                            C:\ProgramData\Microsoft\Windows\WER\Temp\WER744E.tmp.dmp

                                                                                                                                                                            Download File
                                                                                                                                                                            Process:C:\Windows\SysWOW64\WerFault.exe
                                                                                                                                                                            File Type:Mini DuMP crash report, 15 streams, Thu Apr 18 08:29:30 2024, 0x1205a4 type
                                                                                                                                                                            Category:dropped
                                                                                                                                                                            Size (bytes):131534
                                                                                                                                                                            Entropy (8bit):2.0568358572619614
                                                                                                                                                                            Encrypted:false
                                                                                                                                                                            SSDEEP:768:iFgJNTvhP/VB4XwOvX9H3CfQvBcM2OR6VBiaK:iK/pXVBWf9lJcROR6VBS
                                                                                                                                                                            MD5:DF29722F47B97300DB5BE32FA0DCB42F
                                                                                                                                                                            SHA1:6ED370014C99B82176B4112852A5D64F3408F060
                                                                                                                                                                            SHA-256:5E683F785684283623DBD1C269B07E044C8E8A70E07D8491BD8CF4DA9E4E65B1
                                                                                                                                                                            SHA-512:8BB1399063DADE7323E4C6721D57C0BEC850C436E209FFD08B78EFD28D16AD795C5C22B1E41826D593BD4FCF831E0698FBEB318F95E9856632C12E3F261DD7AD
                                                                                                                                                                            Malicious:false
                                                                                                                                                                            Preview:MDMP..a..... ......... f............D...............X.......<....#...........R..........`.......8...........T...........hH..f...........,$...........&..............................................................................eJ.......&......GenuineIntel............T............. f.............................0..2...............W... .E.u.r.o.p.e. .S.t.a.n.d.a.r.d. .T.i.m.e.......................................W... .E.u.r.o.p.e. .S.u.m.m.e.r. .T.i.m.e...........................................1.9.0.4.1...1...a.m.d.6.4.f.r.e...v.b._.r.e.l.e.a.s.e...1.9.1.2.0.6.-.1.4.0.6.......................................................................................................................................................................................................................................................................................................................................................................................................................................

                                                                                                                                                                            C:\ProgramData\Microsoft\Windows\WER\Temp\WER7653.tmp.WERInternalMetadata.xml

                                                                                                                                                                            Download File
                                                                                                                                                                            Process:C:\Windows\SysWOW64\WerFault.exe
                                                                                                                                                                            File Type:XML 1.0 document, Unicode text, UTF-16, little-endian text, with CRLF line terminators
                                                                                                                                                                            Category:dropped
                                                                                                                                                                            Size (bytes):8346
                                                                                                                                                                            Entropy (8bit):3.7010612871642916
                                                                                                                                                                            Encrypted:false
                                                                                                                                                                            SSDEEP:192:R6l7wVeJKCx6F6Y9FSUXcgmfBQiJpBz89bT4mvsfxTRm:R6lXJ/6F6YPSUXcgmfifTmfK
                                                                                                                                                                            MD5:B4E36B32B96CB3ACCE5C58EAB78CBDA5
                                                                                                                                                                            SHA1:90314D059C461EFB7867668D13C5578A10FA2707
                                                                                                                                                                            SHA-256:5750CE72DF299ED648232F08CB2CA8FB46D80320C245A0B10CE1F8C3BB0F689C
                                                                                                                                                                            SHA-512:19B6C6A07E6A80DA4A14CBEC8D5EBD76329DF8AE63CFBA56DB84E470347DA57D2547D3F0471E205ADC251D4FEB3D3F2055A66E5AF9E12FD48353EEE84AAD4033
                                                                                                                                                                            Malicious:false
                                                                                                                                                                            Preview:..<.?.x.m.l. .v.e.r.s.i.o.n.=.".1...0.". .e.n.c.o.d.i.n.g.=.".U.T.F.-.1.6.".?.>.....<.W.E.R.R.e.p.o.r.t.M.e.t.a.d.a.t.a.>.......<.O.S.V.e.r.s.i.o.n.I.n.f.o.r.m.a.t.i.o.n.>.........<.W.i.n.d.o.w.s.N.T.V.e.r.s.i.o.n.>.1.0...0.<./.W.i.n.d.o.w.s.N.T.V.e.r.s.i.o.n.>.........<.B.u.i.l.d.>.1.9.0.4.5.<./.B.u.i.l.d.>.........<.P.r.o.d.u.c.t.>.(.0.x.3.0.).:. .W.i.n.d.o.w.s. .1.0. .P.r.o.<./.P.r.o.d.u.c.t.>.........<.E.d.i.t.i.o.n.>.P.r.o.f.e.s.s.i.o.n.a.l.<./.E.d.i.t.i.o.n.>.........<.B.u.i.l.d.S.t.r.i.n.g.>.1.9.0.4.1...2.0.0.6...a.m.d.6.4.f.r.e...v.b._.r.e.l.e.a.s.e...1.9.1.2.0.6.-.1.4.0.6.<./.B.u.i.l.d.S.t.r.i.n.g.>.........<.R.e.v.i.s.i.o.n.>.2.0.0.6.<./.R.e.v.i.s.i.o.n.>.........<.F.l.a.v.o.r.>.M.u.l.t.i.p.r.o.c.e.s.s.o.r. .F.r.e.e.<./.F.l.a.v.o.r.>.........<.A.r.c.h.i.t.e.c.t.u.r.e.>.X.6.4.<./.A.r.c.h.i.t.e.c.t.u.r.e.>.........<.L.C.I.D.>.2.0.5.7.<./.L.C.I.D.>.......<./.O.S.V.e.r.s.i.o.n.I.n.f.o.r.m.a.t.i.o.n.>.......<.P.r.o.c.e.s.s.I.n.f.o.r.m.a.t.i.o.n.>.........<.P.i.d.>.7.3.2.8.<./.P.i.

                                                                                                                                                                            C:\ProgramData\Microsoft\Windows\WER\Temp\WER76D1.tmp.xml

                                                                                                                                                                            Download File
                                                                                                                                                                            Process:C:\Windows\SysWOW64\WerFault.exe
                                                                                                                                                                            File Type:XML 1.0 document, ASCII text, with CRLF line terminators
                                                                                                                                                                            Category:dropped
                                                                                                                                                                            Size (bytes):4589
                                                                                                                                                                            Entropy (8bit):4.471737079133167
                                                                                                                                                                            Encrypted:false
                                                                                                                                                                            SSDEEP:48:cvIwWl8zs6Jg77aI9XEWpW8VY2Ym8M4Jd4FV+q8qoioBCodd:uIjfII7dd7VyJeAnBCodd
                                                                                                                                                                            MD5:3C29C7A097549D29D30F788F07667D8F
                                                                                                                                                                            SHA1:70AC47C9F0262CF585B344EA556D70558E31763E
                                                                                                                                                                            SHA-256:307DC0F9C0D589E2F25DFB219B605E0832E4A23221371CE9A4377A91FAAC5697
                                                                                                                                                                            SHA-512:0B2825AC0EB76514425451C09A49181C39E9DEC65045F1AEA218D8E0E02526A254571C6604AC9C77BDF6135CAFEACFB3068B4F51DBDAF109EAB0683E99FF9EDB
                                                                                                                                                                            Malicious:false
                                                                                                                                                                            Preview:<?xml version="1.0" encoding="UTF-8" standalone="yes"?>..<req ver="2">.. <tlm>.. <src>.. <desc>.. <mach>.. <os>.. <arg nm="vermaj" val="10" />.. <arg nm="vermin" val="0" />.. <arg nm="verbld" val="19045" />.. <arg nm="vercsdbld" val="2006" />.. <arg nm="verqfe" val="2006" />.. <arg nm="csdbld" val="2006" />.. <arg nm="versp" val="0" />.. <arg nm="arch" val="9" />.. <arg nm="lcid" val="2057" />.. <arg nm="geoid" val="223" />.. <arg nm="sku" val="48" />.. <arg nm="domain" val="0" />.. <arg nm="prodsuite" val="256" />.. <arg nm="ntprodtype" val="1" />.. <arg nm="platid" val="2" />.. <arg nm="tmsi" val="285092" />.. <arg nm="osinsty" val="1" />.. <arg nm="iever" val="11.789.19041.0-11.0.1000" />.. <arg nm="portos" val="0" />.. <arg nm="ram" val="409

                                                                                                                                                                            C:\ProgramData\Microsoft\Windows\WER\Temp\WER80E1.tmp.dmp

                                                                                                                                                                            Download File
                                                                                                                                                                            Process:C:\Windows\SysWOW64\WerFault.exe
                                                                                                                                                                            File Type:Mini DuMP crash report, 15 streams, Thu Apr 18 08:29:33 2024, 0x1205a4 type
                                                                                                                                                                            Category:dropped
                                                                                                                                                                            Size (bytes):123746
                                                                                                                                                                            Entropy (8bit):2.064994177486639
                                                                                                                                                                            Encrypted:false
                                                                                                                                                                            SSDEEP:768:xTzt6NTvUhUSdqdwsXTLZX9H3C8Q+luRDO1tTd:VU6VdMwM59c+luRDAtTd
                                                                                                                                                                            MD5:CB6C70FAE27FBCEEB79FCFA78F18CC8C
                                                                                                                                                                            SHA1:9AB14CF0CD8B04A8A3AB1F9DD51010EDA234E12C
                                                                                                                                                                            SHA-256:96B237F3545E387B57842CF76AA7C5E55A6A74514F50B8EEBE866B4A7B1D3AF0
                                                                                                                                                                            SHA-512:DB03A3077C1AF9E9359D4B9AEE020AA0EEFB5F710B13583572D4EFE38B2BF7B9A7C2C14A1D55127D1B4CD2264D407F6A51EC34A2367E332DF3843A424F3FA4E6
                                                                                                                                                                            Malicious:false
                                                                                                                                                                            Preview:MDMP..a..... ......... f............D...............X.......l...\$..........xS..........`.......8...........T............J...............$...........&..............................................................................eJ......L'......GenuineIntel............T............. f.............................0..2...............W... .E.u.r.o.p.e. .S.t.a.n.d.a.r.d. .T.i.m.e.......................................W... .E.u.r.o.p.e. .S.u.m.m.e.r. .T.i.m.e...........................................1.9.0.4.1...1...a.m.d.6.4.f.r.e...v.b._.r.e.l.e.a.s.e...1.9.1.2.0.6.-.1.4.0.6.......................................................................................................................................................................................................................................................................................................................................................................................................................................

                                                                                                                                                                            C:\ProgramData\Microsoft\Windows\WER\Temp\WER8382.tmp.WERInternalMetadata.xml

                                                                                                                                                                            Download File
                                                                                                                                                                            Process:C:\Windows\SysWOW64\WerFault.exe
                                                                                                                                                                            File Type:XML 1.0 document, Unicode text, UTF-16, little-endian text, with CRLF line terminators
                                                                                                                                                                            Category:dropped
                                                                                                                                                                            Size (bytes):8346
                                                                                                                                                                            Entropy (8bit):3.7016750514448087
                                                                                                                                                                            Encrypted:false
                                                                                                                                                                            SSDEEP:192:R6l7wVeJKCQ6mG6Y96SULcgmfBAaAjA1JpB+89b34mvsfv7dm:R6lXJO6/6YgSULcgmfSaAjAT3mfvs
                                                                                                                                                                            MD5:83D073EE18C03FE6C29F8C318D9EF737
                                                                                                                                                                            SHA1:E1DD809AF275052513E2D4C083C9408FC2C5DB7E
                                                                                                                                                                            SHA-256:63DEC3C1ABB2499900B330340818A8B5F4C77FC4650744FD58F82A1497CEF329
                                                                                                                                                                            SHA-512:CF610B0ABB4866FD05B6FF53FB50AC5B2455F52EBB3DCF020E980CC34478B49EFFE0BB05EDFDB277E74737842ECBE7AAC7974271BECA96E210319937B38DCEBF
                                                                                                                                                                            Malicious:false
                                                                                                                                                                            Preview:..<.?.x.m.l. .v.e.r.s.i.o.n.=.".1...0.". .e.n.c.o.d.i.n.g.=.".U.T.F.-.1.6.".?.>.....<.W.E.R.R.e.p.o.r.t.M.e.t.a.d.a.t.a.>.......<.O.S.V.e.r.s.i.o.n.I.n.f.o.r.m.a.t.i.o.n.>.........<.W.i.n.d.o.w.s.N.T.V.e.r.s.i.o.n.>.1.0...0.<./.W.i.n.d.o.w.s.N.T.V.e.r.s.i.o.n.>.........<.B.u.i.l.d.>.1.9.0.4.5.<./.B.u.i.l.d.>.........<.P.r.o.d.u.c.t.>.(.0.x.3.0.).:. .W.i.n.d.o.w.s. .1.0. .P.r.o.<./.P.r.o.d.u.c.t.>.........<.E.d.i.t.i.o.n.>.P.r.o.f.e.s.s.i.o.n.a.l.<./.E.d.i.t.i.o.n.>.........<.B.u.i.l.d.S.t.r.i.n.g.>.1.9.0.4.1...2.0.0.6...a.m.d.6.4.f.r.e...v.b._.r.e.l.e.a.s.e...1.9.1.2.0.6.-.1.4.0.6.<./.B.u.i.l.d.S.t.r.i.n.g.>.........<.R.e.v.i.s.i.o.n.>.2.0.0.6.<./.R.e.v.i.s.i.o.n.>.........<.F.l.a.v.o.r.>.M.u.l.t.i.p.r.o.c.e.s.s.o.r. .F.r.e.e.<./.F.l.a.v.o.r.>.........<.A.r.c.h.i.t.e.c.t.u.r.e.>.X.6.4.<./.A.r.c.h.i.t.e.c.t.u.r.e.>.........<.L.C.I.D.>.2.0.5.7.<./.L.C.I.D.>.......<./.O.S.V.e.r.s.i.o.n.I.n.f.o.r.m.a.t.i.o.n.>.......<.P.r.o.c.e.s.s.I.n.f.o.r.m.a.t.i.o.n.>.........<.P.i.d.>.7.3.2.8.<./.P.i.

                                                                                                                                                                            C:\ProgramData\Microsoft\Windows\WER\Temp\WER844E.tmp.xml

                                                                                                                                                                            Download File
                                                                                                                                                                            Process:C:\Windows\SysWOW64\WerFault.exe
                                                                                                                                                                            File Type:XML 1.0 document, ASCII text, with CRLF line terminators
                                                                                                                                                                            Category:dropped
                                                                                                                                                                            Size (bytes):4589
                                                                                                                                                                            Entropy (8bit):4.471210629728155
                                                                                                                                                                            Encrypted:false
                                                                                                                                                                            SSDEEP:48:cvIwWl8zs6Jg77aI9XEWpW8VYAYm8M4JdQFv++q8CoioBCodd:uIjfII7dd7VYJ5QnBCodd
                                                                                                                                                                            MD5:7CE5B003B775C60822C4C4241A10EA01
                                                                                                                                                                            SHA1:E6E7DEDE0DE49CEB1B9ECC06F5448CF0DBF1EE2C
                                                                                                                                                                            SHA-256:63D1687280C34A3DD43C0D0BEE7C473ECC783EC20B99EAD716C067579C09DB56
                                                                                                                                                                            SHA-512:7A1DBCDD099FA67388E8BB9A24DE1D9149F54A31D3B2A62B316CB45AE399C4D3B019F467EBBAD8A2FBAEA1E4C4D51F7BB53C16B32EA073877D3B49E774A5453E
                                                                                                                                                                            Malicious:false
                                                                                                                                                                            Preview:<?xml version="1.0" encoding="UTF-8" standalone="yes"?>..<req ver="2">.. <tlm>.. <src>.. <desc>.. <mach>.. <os>.. <arg nm="vermaj" val="10" />.. <arg nm="vermin" val="0" />.. <arg nm="verbld" val="19045" />.. <arg nm="vercsdbld" val="2006" />.. <arg nm="verqfe" val="2006" />.. <arg nm="csdbld" val="2006" />.. <arg nm="versp" val="0" />.. <arg nm="arch" val="9" />.. <arg nm="lcid" val="2057" />.. <arg nm="geoid" val="223" />.. <arg nm="sku" val="48" />.. <arg nm="domain" val="0" />.. <arg nm="prodsuite" val="256" />.. <arg nm="ntprodtype" val="1" />.. <arg nm="platid" val="2" />.. <arg nm="tmsi" val="285092" />.. <arg nm="osinsty" val="1" />.. <arg nm="iever" val="11.789.19041.0-11.0.1000" />.. <arg nm="portos" val="0" />.. <arg nm="ram" val="409

                                                                                                                                                                            C:\ProgramData\Microsoft\Windows\WER\Temp\WER8834.tmp.dmp

                                                                                                                                                                            Download File
                                                                                                                                                                            Process:C:\Windows\SysWOW64\WerFault.exe
                                                                                                                                                                            File Type:Mini DuMP crash report, 15 streams, Thu Apr 18 08:29:35 2024, 0x1205a4 type
                                                                                                                                                                            Category:dropped
                                                                                                                                                                            Size (bytes):75536
                                                                                                                                                                            Entropy (8bit):2.174028642126174
                                                                                                                                                                            Encrypted:false
                                                                                                                                                                            SSDEEP:384:GzYOIa5bB9NTvmu9YVvFosL8DfVAoXw6Pk9f93C1HG4H8yX/rGB:GUaprNTvmwYEm8rVAoXwj93C1HFXD0
                                                                                                                                                                            MD5:7097B3D49B323F4D44B7E638A050E4B1
                                                                                                                                                                            SHA1:AA8CAE4C714AE96183395AFAC2BCD9BB9FC38F0B
                                                                                                                                                                            SHA-256:49B7DEB2B0D8B26DEC159003B397420089918DE92FAAE61351C52307AABD329B
                                                                                                                                                                            SHA-512:EC64484E9D3E9A33D116822FD6C8A1A5C8C3B0F2E6084FDA5861934B65EC3F2942842C491B407B32BC78C4B22E99F9E83C0CF7F9E4EAFAED02B7F1A29FC4C6CA
                                                                                                                                                                            Malicious:false
                                                                                                                                                                            Preview:MDMP..a..... ......... f............$...............8.......<...........T....9..........`.......8...........T...........h%..............$...........................................................................................eJ..............GenuineIntel............T.......4..... f............................. ..2...............W... .E.u.r.o.p.e. .S.t.a.n.d.a.r.d. .T.i.m.e.......................................W... .E.u.r.o.p.e. .S.u.m.m.e.r. .T.i.m.e...........................................1.9.0.4.1...1...a.m.d.6.4.f.r.e...v.b._.r.e.l.e.a.s.e...1.9.1.2.0.6.-.1.4.0.6.......................................................................................................................................................................................................................................................................................................................................................................................................................................

                                                                                                                                                                            C:\ProgramData\Microsoft\Windows\WER\Temp\WER89FA.tmp.WERInternalMetadata.xml

                                                                                                                                                                            Download File
                                                                                                                                                                            Process:C:\Windows\SysWOW64\WerFault.exe
                                                                                                                                                                            File Type:XML 1.0 document, Unicode text, UTF-16, little-endian text, with CRLF line terminators
                                                                                                                                                                            Category:dropped
                                                                                                                                                                            Size (bytes):8370
                                                                                                                                                                            Entropy (8bit):3.701646967725577
                                                                                                                                                                            Encrypted:false
                                                                                                                                                                            SSDEEP:192:R6l7wVeJIX62A6Y9OSUuwgmfViJpBv89buusfJnam:R6lXJQ6B6YESUuwgmfVrutfF
                                                                                                                                                                            MD5:FF5DD53742D70FB1811E78F405BC6DDF
                                                                                                                                                                            SHA1:ECF70F1FF666BEE9AEAC4F5A0104ECE620696252
                                                                                                                                                                            SHA-256:BD1B73A7083E108F019A599867F1C8443C5F0324851B97839272F4EC53A2C129
                                                                                                                                                                            SHA-512:802E2BEDA9371FC5B3FD3C5EFF6BB77683BF2F45234C32AEADC5151D221D54FD9F72A0DE99C77C8952F8435853DC11D5C613EA5A220671980882071A26D26BE8
                                                                                                                                                                            Malicious:false
                                                                                                                                                                            Preview:..<.?.x.m.l. .v.e.r.s.i.o.n.=.".1...0.". .e.n.c.o.d.i.n.g.=.".U.T.F.-.1.6.".?.>.....<.W.E.R.R.e.p.o.r.t.M.e.t.a.d.a.t.a.>.......<.O.S.V.e.r.s.i.o.n.I.n.f.o.r.m.a.t.i.o.n.>.........<.W.i.n.d.o.w.s.N.T.V.e.r.s.i.o.n.>.1.0...0.<./.W.i.n.d.o.w.s.N.T.V.e.r.s.i.o.n.>.........<.B.u.i.l.d.>.1.9.0.4.5.<./.B.u.i.l.d.>.........<.P.r.o.d.u.c.t.>.(.0.x.3.0.).:. .W.i.n.d.o.w.s. .1.0. .P.r.o.<./.P.r.o.d.u.c.t.>.........<.E.d.i.t.i.o.n.>.P.r.o.f.e.s.s.i.o.n.a.l.<./.E.d.i.t.i.o.n.>.........<.B.u.i.l.d.S.t.r.i.n.g.>.1.9.0.4.1...2.0.0.6...a.m.d.6.4.f.r.e...v.b._.r.e.l.e.a.s.e...1.9.1.2.0.6.-.1.4.0.6.<./.B.u.i.l.d.S.t.r.i.n.g.>.........<.R.e.v.i.s.i.o.n.>.2.0.0.6.<./.R.e.v.i.s.i.o.n.>.........<.F.l.a.v.o.r.>.M.u.l.t.i.p.r.o.c.e.s.s.o.r. .F.r.e.e.<./.F.l.a.v.o.r.>.........<.A.r.c.h.i.t.e.c.t.u.r.e.>.X.6.4.<./.A.r.c.h.i.t.e.c.t.u.r.e.>.........<.L.C.I.D.>.2.0.5.7.<./.L.C.I.D.>.......<./.O.S.V.e.r.s.i.o.n.I.n.f.o.r.m.a.t.i.o.n.>.......<.P.r.o.c.e.s.s.I.n.f.o.r.m.a.t.i.o.n.>.........<.P.i.d.>.7.9.8.8.<./.P.i.

                                                                                                                                                                            C:\ProgramData\Microsoft\Windows\WER\Temp\WER8A49.tmp.xml

                                                                                                                                                                            Download File
                                                                                                                                                                            Process:C:\Windows\SysWOW64\WerFault.exe
                                                                                                                                                                            File Type:XML 1.0 document, ASCII text, with CRLF line terminators
                                                                                                                                                                            Category:dropped
                                                                                                                                                                            Size (bytes):4614
                                                                                                                                                                            Entropy (8bit):4.4880929446847295
                                                                                                                                                                            Encrypted:false
                                                                                                                                                                            SSDEEP:48:cvIwWl8zs6Jg77aI9XEWpW8VYXYm8M4J/4Fkq+q87VGoTLBCPKd:uIjfII7dd7VrJ7q6GoTFCPKd
                                                                                                                                                                            MD5:1C8E5CBCE9D8C20CC374A8804ED81B00
                                                                                                                                                                            SHA1:E4B96B3A1303F38B7822406786B4BA5F3C64E6A0
                                                                                                                                                                            SHA-256:7B412FDE2D72E2A34048743EFC89B3236D9B4BD8E578EA496A8412F5FE80A7CD
                                                                                                                                                                            SHA-512:24042848AC39B209ED3437506AE739D8FB22153F3E303516882633E8F6D6203151815BD1DF7363DE6E321F4829C244D4F91C5E118C45400A2309F108A7DFBE51
                                                                                                                                                                            Malicious:false
                                                                                                                                                                            Preview:<?xml version="1.0" encoding="UTF-8" standalone="yes"?>..<req ver="2">.. <tlm>.. <src>.. <desc>.. <mach>.. <os>.. <arg nm="vermaj" val="10" />.. <arg nm="vermin" val="0" />.. <arg nm="verbld" val="19045" />.. <arg nm="vercsdbld" val="2006" />.. <arg nm="verqfe" val="2006" />.. <arg nm="csdbld" val="2006" />.. <arg nm="versp" val="0" />.. <arg nm="arch" val="9" />.. <arg nm="lcid" val="2057" />.. <arg nm="geoid" val="223" />.. <arg nm="sku" val="48" />.. <arg nm="domain" val="0" />.. <arg nm="prodsuite" val="256" />.. <arg nm="ntprodtype" val="1" />.. <arg nm="platid" val="2" />.. <arg nm="tmsi" val="285092" />.. <arg nm="osinsty" val="1" />.. <arg nm="iever" val="11.789.19041.0-11.0.1000" />.. <arg nm="portos" val="0" />.. <arg nm="ram" val="409

                                                                                                                                                                            C:\ProgramData\Microsoft\Windows\WER\Temp\WER8AE4.tmp.dmp

                                                                                                                                                                            Download File
                                                                                                                                                                            Process:C:\Windows\SysWOW64\WerFault.exe
                                                                                                                                                                            File Type:Mini DuMP crash report, 15 streams, Thu Apr 18 08:29:36 2024, 0x1205a4 type
                                                                                                                                                                            Category:dropped
                                                                                                                                                                            Size (bytes):118270
                                                                                                                                                                            Entropy (8bit):2.0906947454978506
                                                                                                                                                                            Encrypted:false
                                                                                                                                                                            SSDEEP:768:MuM/NTvfVh0wCPXtL0X9H3C8QU2GCEZn:MuEXVewMI9cU2MZ
                                                                                                                                                                            MD5:50C21CEA0982DEAF6B6677D4BE1E2297
                                                                                                                                                                            SHA1:68A1615CE1CC88DC2F4B4AB857A8DC65BC3CC480
                                                                                                                                                                            SHA-256:97F52D8946B8137C09ED754F86E1FDDD85414EEFB01AEC5BB746A272F0DFCCC7
                                                                                                                                                                            SHA-512:6AEC68B76763C2204BDA3C62E98A53CA8750E6A422956108033DD45A6429C8F86A786D61BB01D506135AB0F90F7B3BC772923E385281184B130E20DE0749A891
                                                                                                                                                                            Malicious:false
                                                                                                                                                                            Preview:MDMP..a..... ......... f............................(.......l...,$..........|P..........`.......8...........T............J..>............$...........&..............................................................................eJ.......'......GenuineIntel............T............. f.............................0..2...............W... .E.u.r.o.p.e. .S.t.a.n.d.a.r.d. .T.i.m.e.......................................W... .E.u.r.o.p.e. .S.u.m.m.e.r. .T.i.m.e...........................................1.9.0.4.1...1...a.m.d.6.4.f.r.e...v.b._.r.e.l.e.a.s.e...1.9.1.2.0.6.-.1.4.0.6.......................................................................................................................................................................................................................................................................................................................................................................................................................................

                                                                                                                                                                            C:\ProgramData\Microsoft\Windows\WER\Temp\WER8C1D.tmp.WERInternalMetadata.xml

                                                                                                                                                                            Download File
                                                                                                                                                                            Process:C:\Windows\SysWOW64\WerFault.exe
                                                                                                                                                                            File Type:XML 1.0 document, Unicode text, UTF-16, little-endian text, with CRLF line terminators
                                                                                                                                                                            Category:dropped
                                                                                                                                                                            Size (bytes):8346
                                                                                                                                                                            Entropy (8bit):3.701824582945648
                                                                                                                                                                            Encrypted:false
                                                                                                                                                                            SSDEEP:192:R6l7wVeJKCY6/k6Y9MSUysgmfBAaAjA1JpBq89bF4mvsf43m:R6lXJm6s6YWSUysgmfSaAjAXFmfV
                                                                                                                                                                            MD5:39C8E86F9E39075FED18B69CE4B1B262
                                                                                                                                                                            SHA1:4CFB26FF285326CD2F97CC40A062293381F3F5D4
                                                                                                                                                                            SHA-256:BFFF10D48AF9A309A233DAD7AA041C5A3F18644BF9DA7A8CDE57ECE3FEA18235
                                                                                                                                                                            SHA-512:191A4D1039E27841991D3EA824F02C3ACD416C2A946E060930CEC0DB6015057ECE9590791168AEF38C2406106EBC223823E5D06E4C7C9382BE40CF0F9925178B
                                                                                                                                                                            Malicious:false
                                                                                                                                                                            Preview:..<.?.x.m.l. .v.e.r.s.i.o.n.=.".1...0.". .e.n.c.o.d.i.n.g.=.".U.T.F.-.1.6.".?.>.....<.W.E.R.R.e.p.o.r.t.M.e.t.a.d.a.t.a.>.......<.O.S.V.e.r.s.i.o.n.I.n.f.o.r.m.a.t.i.o.n.>.........<.W.i.n.d.o.w.s.N.T.V.e.r.s.i.o.n.>.1.0...0.<./.W.i.n.d.o.w.s.N.T.V.e.r.s.i.o.n.>.........<.B.u.i.l.d.>.1.9.0.4.5.<./.B.u.i.l.d.>.........<.P.r.o.d.u.c.t.>.(.0.x.3.0.).:. .W.i.n.d.o.w.s. .1.0. .P.r.o.<./.P.r.o.d.u.c.t.>.........<.E.d.i.t.i.o.n.>.P.r.o.f.e.s.s.i.o.n.a.l.<./.E.d.i.t.i.o.n.>.........<.B.u.i.l.d.S.t.r.i.n.g.>.1.9.0.4.1...2.0.0.6...a.m.d.6.4.f.r.e...v.b._.r.e.l.e.a.s.e...1.9.1.2.0.6.-.1.4.0.6.<./.B.u.i.l.d.S.t.r.i.n.g.>.........<.R.e.v.i.s.i.o.n.>.2.0.0.6.<./.R.e.v.i.s.i.o.n.>.........<.F.l.a.v.o.r.>.M.u.l.t.i.p.r.o.c.e.s.s.o.r. .F.r.e.e.<./.F.l.a.v.o.r.>.........<.A.r.c.h.i.t.e.c.t.u.r.e.>.X.6.4.<./.A.r.c.h.i.t.e.c.t.u.r.e.>.........<.L.C.I.D.>.2.0.5.7.<./.L.C.I.D.>.......<./.O.S.V.e.r.s.i.o.n.I.n.f.o.r.m.a.t.i.o.n.>.......<.P.r.o.c.e.s.s.I.n.f.o.r.m.a.t.i.o.n.>.........<.P.i.d.>.7.3.2.8.<./.P.i.

                                                                                                                                                                            C:\ProgramData\Microsoft\Windows\WER\Temp\WER8C5D.tmp.xml

                                                                                                                                                                            Download File
                                                                                                                                                                            Process:C:\Windows\SysWOW64\WerFault.exe
                                                                                                                                                                            File Type:XML 1.0 document, ASCII text, with CRLF line terminators
                                                                                                                                                                            Category:dropped
                                                                                                                                                                            Size (bytes):4589
                                                                                                                                                                            Entropy (8bit):4.467268918512374
                                                                                                                                                                            Encrypted:false
                                                                                                                                                                            SSDEEP:48:cvIwWl8zs6Jg77aI9XEWpW8VYMYm8M4JdQFJE+q8CoioBCodd:uIjfII7dd7VwJVQnBCodd
                                                                                                                                                                            MD5:7D666F7E62728C8E8AC51173F50FD030
                                                                                                                                                                            SHA1:3A7F7B3FD3907CAD6B04370DCB8286D8B1C4D5EE
                                                                                                                                                                            SHA-256:B36750F56E246FB5F09EDB918B211A8B76AF768FFF1843662C5B5E1DAC0E71ED
                                                                                                                                                                            SHA-512:50BF07BA60EA9BDB8C3409C57E410595F4F4B5D398347A1A0B6EE12ED062BB65374496AEC79F9A4AE539BAA50DACB5024E781EE6375AE65D7FE0EF44641AC98F
                                                                                                                                                                            Malicious:false
                                                                                                                                                                            Preview:<?xml version="1.0" encoding="UTF-8" standalone="yes"?>..<req ver="2">.. <tlm>.. <src>.. <desc>.. <mach>.. <os>.. <arg nm="vermaj" val="10" />.. <arg nm="vermin" val="0" />.. <arg nm="verbld" val="19045" />.. <arg nm="vercsdbld" val="2006" />.. <arg nm="verqfe" val="2006" />.. <arg nm="csdbld" val="2006" />.. <arg nm="versp" val="0" />.. <arg nm="arch" val="9" />.. <arg nm="lcid" val="2057" />.. <arg nm="geoid" val="223" />.. <arg nm="sku" val="48" />.. <arg nm="domain" val="0" />.. <arg nm="prodsuite" val="256" />.. <arg nm="ntprodtype" val="1" />.. <arg nm="platid" val="2" />.. <arg nm="tmsi" val="285092" />.. <arg nm="osinsty" val="1" />.. <arg nm="iever" val="11.789.19041.0-11.0.1000" />.. <arg nm="portos" val="0" />.. <arg nm="ram" val="409

                                                                                                                                                                            C:\ProgramData\Microsoft\Windows\WER\Temp\WER8EDB.tmp.dmp

                                                                                                                                                                            Download File
                                                                                                                                                                            Process:C:\Windows\SysWOW64\WerFault.exe
                                                                                                                                                                            File Type:Mini DuMP crash report, 15 streams, Thu Apr 18 08:29:37 2024, 0x1205a4 type
                                                                                                                                                                            Category:dropped
                                                                                                                                                                            Size (bytes):81132
                                                                                                                                                                            Entropy (8bit):2.1355145781051537
                                                                                                                                                                            Encrypted:false
                                                                                                                                                                            SSDEEP:384:o9fcQ/d7+NTvLPKVrseCYdVAoXw6Pk9f93C1HGmfbv3CpB0GR6K:oJ1/d+NTvLiB3VAoXwj93C1HHbpGUK
                                                                                                                                                                            MD5:85B54A060C5353C9BF695C5720B365E3
                                                                                                                                                                            SHA1:C3C18E72FF4D5C3E84B75E654B69AE3F2E719A32
                                                                                                                                                                            SHA-256:82DEDCD0B70CF4671452A9336CF2F3D1FCE2D532B4E075236FE344B7E630261E
                                                                                                                                                                            SHA-512:A1D790E9616FE3F47A1F845AA8415BD36236430B3EFC1B722DA74047C54C9C5A6E049C7B17DCD43A549D6CB7863C33CE333B3B71FF0BB68E5664B867225D59B5
                                                                                                                                                                            Malicious:false
                                                                                                                                                                            Preview:MDMP..a..... ......... f............T...............h.......<................<..........`.......8...........T............%..\...........T...........@...............................................................................eJ..............GenuineIntel............T.......4..... f............................. ..2...............W... .E.u.r.o.p.e. .S.t.a.n.d.a.r.d. .T.i.m.e.......................................W... .E.u.r.o.p.e. .S.u.m.m.e.r. .T.i.m.e...........................................1.9.0.4.1...1...a.m.d.6.4.f.r.e...v.b._.r.e.l.e.a.s.e...1.9.1.2.0.6.-.1.4.0.6.......................................................................................................................................................................................................................................................................................................................................................................................................................................

                                                                                                                                                                            C:\ProgramData\Microsoft\Windows\WER\Temp\WER8FB7.tmp.WERInternalMetadata.xml

                                                                                                                                                                            Download File
                                                                                                                                                                            Process:C:\Windows\SysWOW64\WerFault.exe
                                                                                                                                                                            File Type:XML 1.0 document, Unicode text, UTF-16, little-endian text, with CRLF line terminators
                                                                                                                                                                            Category:dropped
                                                                                                                                                                            Size (bytes):8370
                                                                                                                                                                            Entropy (8bit):3.7057935999042497
                                                                                                                                                                            Encrypted:false
                                                                                                                                                                            SSDEEP:192:R6l7wVeJIW6K6Y9fSUysgmfViJpBOx89b8usfAs0m:R6lXJB6K6YVSUysgmfVK8tfAG
                                                                                                                                                                            MD5:44408B7BE6C02816D9A86D122124661C
                                                                                                                                                                            SHA1:8D2311C68317A82037BB2257F81BBA282A54324D
                                                                                                                                                                            SHA-256:78C29384C4EB19E14B9452500671F94EA8184B13D43B47336C30C5C163C77611
                                                                                                                                                                            SHA-512:AD895E96E9296597AA32F5D47424F47882AD5D9B0D547E02B015918415895C0B3A6DB122152FA61E4CE9AD0CDAE8E920CCE74AC5C3B1BE7F144E04C5869AB2AE
                                                                                                                                                                            Malicious:false
                                                                                                                                                                            Preview:..<.?.x.m.l. .v.e.r.s.i.o.n.=.".1...0.". .e.n.c.o.d.i.n.g.=.".U.T.F.-.1.6.".?.>.....<.W.E.R.R.e.p.o.r.t.M.e.t.a.d.a.t.a.>.......<.O.S.V.e.r.s.i.o.n.I.n.f.o.r.m.a.t.i.o.n.>.........<.W.i.n.d.o.w.s.N.T.V.e.r.s.i.o.n.>.1.0...0.<./.W.i.n.d.o.w.s.N.T.V.e.r.s.i.o.n.>.........<.B.u.i.l.d.>.1.9.0.4.5.<./.B.u.i.l.d.>.........<.P.r.o.d.u.c.t.>.(.0.x.3.0.).:. .W.i.n.d.o.w.s. .1.0. .P.r.o.<./.P.r.o.d.u.c.t.>.........<.E.d.i.t.i.o.n.>.P.r.o.f.e.s.s.i.o.n.a.l.<./.E.d.i.t.i.o.n.>.........<.B.u.i.l.d.S.t.r.i.n.g.>.1.9.0.4.1...2.0.0.6...a.m.d.6.4.f.r.e...v.b._.r.e.l.e.a.s.e...1.9.1.2.0.6.-.1.4.0.6.<./.B.u.i.l.d.S.t.r.i.n.g.>.........<.R.e.v.i.s.i.o.n.>.2.0.0.6.<./.R.e.v.i.s.i.o.n.>.........<.F.l.a.v.o.r.>.M.u.l.t.i.p.r.o.c.e.s.s.o.r. .F.r.e.e.<./.F.l.a.v.o.r.>.........<.A.r.c.h.i.t.e.c.t.u.r.e.>.X.6.4.<./.A.r.c.h.i.t.e.c.t.u.r.e.>.........<.L.C.I.D.>.2.0.5.7.<./.L.C.I.D.>.......<./.O.S.V.e.r.s.i.o.n.I.n.f.o.r.m.a.t.i.o.n.>.......<.P.r.o.c.e.s.s.I.n.f.o.r.m.a.t.i.o.n.>.........<.P.i.d.>.7.9.8.8.<./.P.i.

                                                                                                                                                                            C:\ProgramData\Microsoft\Windows\WER\Temp\WER9016.tmp.xml

                                                                                                                                                                            Download File
                                                                                                                                                                            Process:C:\Windows\SysWOW64\WerFault.exe
                                                                                                                                                                            File Type:XML 1.0 document, ASCII text, with CRLF line terminators
                                                                                                                                                                            Category:dropped
                                                                                                                                                                            Size (bytes):4614
                                                                                                                                                                            Entropy (8bit):4.488275408005406
                                                                                                                                                                            Encrypted:false
                                                                                                                                                                            SSDEEP:48:cvIwWl8zs6Jg77aI9XEWpW8VYaYm8M4J/4FA6+q87VGoTLBCPKd:uIjfII7dd7VmJs6GoTFCPKd
                                                                                                                                                                            MD5:3B8A9578B0F3E581BDDF40ED280A9C7F
                                                                                                                                                                            SHA1:CE6FDEB041956356ADCC1C5F4E5192BB131D392B
                                                                                                                                                                            SHA-256:C10A42810C3618258B83120434A804E36B48D0A3D982657D4B77CE2229CE5CF4
                                                                                                                                                                            SHA-512:02CEE6543C7F31EEA17E4F3196B747ACE81D712D2762E46968DB4512C863ED0347840E7A9800F9E40B0A24B0BF670E46625730E3926DA01F8060735EFB63CEDC
                                                                                                                                                                            Malicious:false
                                                                                                                                                                            Preview:<?xml version="1.0" encoding="UTF-8" standalone="yes"?>..<req ver="2">.. <tlm>.. <src>.. <desc>.. <mach>.. <os>.. <arg nm="vermaj" val="10" />.. <arg nm="vermin" val="0" />.. <arg nm="verbld" val="19045" />.. <arg nm="vercsdbld" val="2006" />.. <arg nm="verqfe" val="2006" />.. <arg nm="csdbld" val="2006" />.. <arg nm="versp" val="0" />.. <arg nm="arch" val="9" />.. <arg nm="lcid" val="2057" />.. <arg nm="geoid" val="223" />.. <arg nm="sku" val="48" />.. <arg nm="domain" val="0" />.. <arg nm="prodsuite" val="256" />.. <arg nm="ntprodtype" val="1" />.. <arg nm="platid" val="2" />.. <arg nm="tmsi" val="285092" />.. <arg nm="osinsty" val="1" />.. <arg nm="iever" val="11.789.19041.0-11.0.1000" />.. <arg nm="portos" val="0" />.. <arg nm="ram" val="409

                                                                                                                                                                            C:\ProgramData\Microsoft\Windows\WER\Temp\WERA69.tmp.dmp

                                                                                                                                                                            Download File
                                                                                                                                                                            Process:C:\Windows\SysWOW64\WerFault.exe
                                                                                                                                                                            File Type:Mini DuMP crash report, 15 streams, Thu Apr 18 08:29:03 2024, 0x1205a4 type
                                                                                                                                                                            Category:dropped
                                                                                                                                                                            Size (bytes):59188
                                                                                                                                                                            Entropy (8bit):2.2550159647197425
                                                                                                                                                                            Encrypted:false
                                                                                                                                                                            SSDEEP:384:3TgXMMBNTvPs+s+nFPkNO9kaRN953C/QbJXkEIOTEJHiP:k8MBNTvVZkNq953C/QIOTE
                                                                                                                                                                            MD5:08F5BF97D4F1AF334F8ADD4AFCBB8AC4
                                                                                                                                                                            SHA1:E0FD976C7972538FF69EAABCF3DCE2E2BF37D791
                                                                                                                                                                            SHA-256:930EE30573D83D018A9B679FEDC549E98D270507A388218E773513F1F338B624
                                                                                                                                                                            SHA-512:9D31CA81ED12E320B3670770969AD23F03DD74A91990BCBDA42D2EDB26DB0826EC7F40FC3A9EC3C422482D30FB642C21F19F4E4867CE6CC0C134E52EC5B1A495
                                                                                                                                                                            Malicious:false
                                                                                                                                                                            Preview:MDMP..a..... ......... f....................................$...l............0..........`.......8...........T...........H"..........................|...............................................................................eJ..............GenuineIntel............T............. f.............................0..2...............W... .E.u.r.o.p.e. .S.t.a.n.d.a.r.d. .T.i.m.e.......................................W... .E.u.r.o.p.e. .S.u.m.m.e.r. .T.i.m.e...........................................1.9.0.4.1...1...a.m.d.6.4.f.r.e...v.b._.r.e.l.e.a.s.e...1.9.1.2.0.6.-.1.4.0.6.......................................................................................................................................................................................................................................................................................................................................................................................................................................

                                                                                                                                                                            C:\ProgramData\Microsoft\Windows\WER\Temp\WERC4E.tmp.WERInternalMetadata.xml

                                                                                                                                                                            Download File
                                                                                                                                                                            Process:C:\Windows\SysWOW64\WerFault.exe
                                                                                                                                                                            File Type:XML 1.0 document, Unicode text, UTF-16, little-endian text, with CRLF line terminators
                                                                                                                                                                            Category:dropped
                                                                                                                                                                            Size (bytes):8344
                                                                                                                                                                            Entropy (8bit):3.700134159358479
                                                                                                                                                                            Encrypted:false
                                                                                                                                                                            SSDEEP:192:R6l7wVeJKCa6z6Y9dSU5qgmfBQiJpBr89b74mvsfgpm:R6lXJU6z6YHSU5qgmfi37mfD
                                                                                                                                                                            MD5:8B6E7983D11890AC3EA5B1724B9D41C1
                                                                                                                                                                            SHA1:FC2F01B0D0756A0F63D6CEA8396CB47084FD0BEB
                                                                                                                                                                            SHA-256:C08DB5841CF5F8D39B884488EA9FBCD1D51F9F9C15DF42F5E414E41FE5A1DC6A
                                                                                                                                                                            SHA-512:0372B76C10BF92AA5AC2636A89FCEFF7B89CC2653CD75DF5CCD3166CE745250F4E119E8A654E8AC1F23A40541958B2DB9443AA43EF278C4C4D7369A854DED106
                                                                                                                                                                            Malicious:false
                                                                                                                                                                            Preview:..<.?.x.m.l. .v.e.r.s.i.o.n.=.".1...0.". .e.n.c.o.d.i.n.g.=.".U.T.F.-.1.6.".?.>.....<.W.E.R.R.e.p.o.r.t.M.e.t.a.d.a.t.a.>.......<.O.S.V.e.r.s.i.o.n.I.n.f.o.r.m.a.t.i.o.n.>.........<.W.i.n.d.o.w.s.N.T.V.e.r.s.i.o.n.>.1.0...0.<./.W.i.n.d.o.w.s.N.T.V.e.r.s.i.o.n.>.........<.B.u.i.l.d.>.1.9.0.4.5.<./.B.u.i.l.d.>.........<.P.r.o.d.u.c.t.>.(.0.x.3.0.).:. .W.i.n.d.o.w.s. .1.0. .P.r.o.<./.P.r.o.d.u.c.t.>.........<.E.d.i.t.i.o.n.>.P.r.o.f.e.s.s.i.o.n.a.l.<./.E.d.i.t.i.o.n.>.........<.B.u.i.l.d.S.t.r.i.n.g.>.1.9.0.4.1...2.0.0.6...a.m.d.6.4.f.r.e...v.b._.r.e.l.e.a.s.e...1.9.1.2.0.6.-.1.4.0.6.<./.B.u.i.l.d.S.t.r.i.n.g.>.........<.R.e.v.i.s.i.o.n.>.2.0.0.6.<./.R.e.v.i.s.i.o.n.>.........<.F.l.a.v.o.r.>.M.u.l.t.i.p.r.o.c.e.s.s.o.r. .F.r.e.e.<./.F.l.a.v.o.r.>.........<.A.r.c.h.i.t.e.c.t.u.r.e.>.X.6.4.<./.A.r.c.h.i.t.e.c.t.u.r.e.>.........<.L.C.I.D.>.2.0.5.7.<./.L.C.I.D.>.......<./.O.S.V.e.r.s.i.o.n.I.n.f.o.r.m.a.t.i.o.n.>.......<.P.r.o.c.e.s.s.I.n.f.o.r.m.a.t.i.o.n.>.........<.P.i.d.>.7.3.2.8.<./.P.i.

                                                                                                                                                                            C:\ProgramData\Microsoft\Windows\WER\Temp\WERC7E.tmp.xml

                                                                                                                                                                            Download File
                                                                                                                                                                            Process:C:\Windows\SysWOW64\WerFault.exe
                                                                                                                                                                            File Type:XML 1.0 document, ASCII text, with CRLF line terminators
                                                                                                                                                                            Category:dropped
                                                                                                                                                                            Size (bytes):4589
                                                                                                                                                                            Entropy (8bit):4.470099500882921
                                                                                                                                                                            Encrypted:false
                                                                                                                                                                            SSDEEP:48:cvIwWl8zsPJg77aI9XEWpW8VYRYm8M4Jd4FuN+q8qoioBCodd:uIjfxI7dd7VZJ3NAnBCodd
                                                                                                                                                                            MD5:3F5C3E43C256EF28309D24B07BD1C50B
                                                                                                                                                                            SHA1:4B6627C9131552A510B2C8588FBFC966841035C3
                                                                                                                                                                            SHA-256:2E5029DF96D9431D40F1A6A6D37B9A1DB9C26B0AC04C63942699F8E88B2AB36E
                                                                                                                                                                            SHA-512:CE5232682214E2D9C21097B30CC96E84EEFA7743DFDCE861399C5A21F35D868323FC9941224ACC05003AB65EF2BDA0D35F8D14EB1A52C32B965EC893951C4803
                                                                                                                                                                            Malicious:false
                                                                                                                                                                            Preview:<?xml version="1.0" encoding="UTF-8" standalone="yes"?>..<req ver="2">.. <tlm>.. <src>.. <desc>.. <mach>.. <os>.. <arg nm="vermaj" val="10" />.. <arg nm="vermin" val="0" />.. <arg nm="verbld" val="19045" />.. <arg nm="vercsdbld" val="2006" />.. <arg nm="verqfe" val="2006" />.. <arg nm="csdbld" val="2006" />.. <arg nm="versp" val="0" />.. <arg nm="arch" val="9" />.. <arg nm="lcid" val="2057" />.. <arg nm="geoid" val="223" />.. <arg nm="sku" val="48" />.. <arg nm="domain" val="0" />.. <arg nm="prodsuite" val="256" />.. <arg nm="ntprodtype" val="1" />.. <arg nm="platid" val="2" />.. <arg nm="tmsi" val="285091" />.. <arg nm="osinsty" val="1" />.. <arg nm="iever" val="11.789.19041.0-11.0.1000" />.. <arg nm="portos" val="0" />.. <arg nm="ram" val="409

                                                                                                                                                                            C:\Users\user\AppData\Local\RageMP131\RageMP131.exe

                                                                                                                                                                            Download File
                                                                                                                                                                            Process:C:\Users\user\Desktop\file.exe
                                                                                                                                                                            File Type:PE32 executable (GUI) Intel 80386, for MS Windows
                                                                                                                                                                            Category:dropped
                                                                                                                                                                            Size (bytes):962560
                                                                                                                                                                            Entropy (8bit):7.713192136777905
                                                                                                                                                                            Encrypted:false
                                                                                                                                                                            SSDEEP:12288:oekLV5eBOkw6Qhe4Yh5wV/uVJuEk6sP4lX8DbDK45dg/bdlh84LZ8Xt8quJsHmrE:on6rhau/OglUbD5yb5LLuXBuJsH4
                                                                                                                                                                            MD5:265D5B8B9F603F0F5EF62F2C27449607
                                                                                                                                                                            SHA1:39576D6D8388DEA489946141DBCCF9CF5FE3A28F
                                                                                                                                                                            SHA-256:948D096A3931A22F116B93FFEEFB3A374834D8EB578620C0FFC83F3E468EED81
                                                                                                                                                                            SHA-512:9D4AC79A62FBD0CB1D76C48848AF7863DDA72BD16368250A2258B3D30A4DDDCB24C38AC62555222706041A5073CBC39D291B14ECDF222C7E04ADD5374403AF66
                                                                                                                                                                            Malicious:true
                                                                                                                                                                            Antivirus:
                                                                                                                                                                            • Antivirus: ReversingLabs, Detection: 47%
                                                                                                                                                                            • Antivirus: Virustotal, Detection: 48%, Browse
                                                                                                                                                                            Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......................................................................................................PE..L....0.e............................g............@.................................:........................................(..d.......p........................... ...8...................h....... ...@............................................text.............................. ..`.rdata.............................@..@.data....Q...@.......&..............@....rsrc...p...........................@..@................................................................................................................................................................................................................................................................................................................................................................................

                                                                                                                                                                            C:\Users\user\AppData\Local\RageMP131\RageMP131.exe:Zone.Identifier

                                                                                                                                                                            Download File
                                                                                                                                                                            Process:C:\Users\user\Desktop\file.exe
                                                                                                                                                                            File Type:ASCII text, with CRLF line terminators
                                                                                                                                                                            Category:dropped
                                                                                                                                                                            Size (bytes):26
                                                                                                                                                                            Entropy (8bit):3.95006375643621
                                                                                                                                                                            Encrypted:false
                                                                                                                                                                            SSDEEP:3:ggPYV:rPYV
                                                                                                                                                                            MD5:187F488E27DB4AF347237FE461A079AD
                                                                                                                                                                            SHA1:6693BA299EC1881249D59262276A0D2CB21F8E64
                                                                                                                                                                            SHA-256:255A65D30841AB4082BD9D0EEA79D49C5EE88F56136157D8D6156AEF11C12309
                                                                                                                                                                            SHA-512:89879F237C0C051EBE784D0690657A6827A312A82735DA42DAD5F744D734FC545BEC9642C19D14C05B2F01FF53BC731530C92F7327BB7DC9CDE1B60FB21CD64E
                                                                                                                                                                            Malicious:false
                                                                                                                                                                            Preview:[ZoneTransfer]....ZoneId=0

                                                                                                                                                                            C:\Users\user\AppData\Local\Temp\OfCx6VeglYVpWTwI9NddWAo.zip

                                                                                                                                                                            Download File
                                                                                                                                                                            Process:C:\Users\user\AppData\Local\RageMP131\RageMP131.exe
                                                                                                                                                                            File Type:Zip archive data, at least v2.0 to extract, compression method=deflate
                                                                                                                                                                            Category:dropped
                                                                                                                                                                            Size (bytes):5543
                                                                                                                                                                            Entropy (8bit):7.8990592469630245
                                                                                                                                                                            Encrypted:false
                                                                                                                                                                            SSDEEP:96:ZWGzqeAoMq+YK0KF8cAJiI2i+uCbpww72MmhGsqp0CjCiZX/3KJ/:tqASpF8wFRJmhG4Kx/6J/
                                                                                                                                                                            MD5:4AEB838408E0EAC40B20FF50BEF0A091
                                                                                                                                                                            SHA1:499A50C84DCD626266176B010E9B1530942FB0AE
                                                                                                                                                                            SHA-256:37B0DC292D72FE29E1DDA30DB9188737DCBCECBCA58544F1D6AAB9F7AAFE3768
                                                                                                                                                                            SHA-512:08AD02BBEEF03A9A0CD06134C340950D4877B817853C914A860FB52B4250705A16037A8E0B4DBF1D3555C20C5B632B3CE4227CE535D0567B6F2DCA653CD07A58
                                                                                                                                                                            Malicious:true
                                                                                                                                                                            Yara Hits:
                                                                                                                                                                            • Rule: JoeSecurity_RiseProStealer, Description: Yara detected RisePro Stealer, Source: C:\Users\user\AppData\Local\Temp\OfCx6VeglYVpWTwI9NddWAo.zip, Author: Joe Security
                                                                                                                                                                            Preview:PK.........S.X................Cookies\..PK.........S.XQn.+............Cookies\Chrome_Default.txt.G..r...U.#.5C.....s$..-.D...7.\..$.G.)o....:....Z.C.f_..pm............"..t..t....}.k.@...a.2+P`.0.x.>....s..k%.._..b..P..((......B.....`.7..-m..JY..F....E.*.l.....I..&.....<J..M.......,V...)b.....Q..k......M?.5L....h}......X..'.0..tB.G...\;.a....4.......B4.......J.4.6.y:....4.-.UfE...3A*p.U5UX....Z.g:*e.j.C..Bw..........e..a^.vU:....$..U......B..`._.e.....+...9.{u...7.e...H.]02...%yR".0...x...P<..N....R.}....{.G...;..c..x...kw.'S>.d|.....B..k.9.t.!>.rh...~n.[....s#/....`.!..Kb8%&.vZB`....O|.....>K......L*...d0..03..t...T&.......`N.xp.."..J.......Q.....c..5...).Z.91.6.j..G.....Wr...a.52!..(^.U.....6....dB.D.^...7..0H.\J9.H.$^`e"..d...\....B.8Z=.qeP.3Y.>..'W.X..T..>z...,..K......g....%B.w4#...;.[]u|....v...3.;L..U?..b.....u..*..... .......F...P.a...|R*3.=......r.:.64...#D..^..>.A..ZT.]E........t...f...1..3.....`...X.....C.]%...p.p.ym

                                                                                                                                                                            C:\Users\user\AppData\Local\Temp\adobe39GtSuVzyOuE\Cookies\Chrome_Default.txt

                                                                                                                                                                            Download File
                                                                                                                                                                            Process:C:\Users\user\Desktop\file.exe
                                                                                                                                                                            File Type:ASCII text, with very long lines (769), with CRLF line terminators
                                                                                                                                                                            Category:dropped
                                                                                                                                                                            Size (bytes):6085
                                                                                                                                                                            Entropy (8bit):6.038274200863744
                                                                                                                                                                            Encrypted:false
                                                                                                                                                                            SSDEEP:96:gxsumX/xKO2KbcRfbZJ5Jxjxcx1xcbza5BC126oxgxA26Fxr/CxbTxqCGYURxOeb:gWFXZQHRFJ5Pts7c3avC126Ygb6Lr/WY
                                                                                                                                                                            MD5:ACB5AD34236C58F9F7D219FB628E3B58
                                                                                                                                                                            SHA1:02E39404CA22F1368C46A7B8398F5F6001DB8F5C
                                                                                                                                                                            SHA-256:05E5013B848C2E619226F9E7A084DC7DCD1B3D68EE45108F552DB113D21B49D1
                                                                                                                                                                            SHA-512:5895F39765BA3CEDFD47D57203FD7E716347CD79277EDDCDC83A729A86E2E59F03F0E7B6B0D0E7C7A383755001EDACC82171052BE801E015E6BF7E6B9595767F
                                                                                                                                                                            Malicious:false
                                                                                                                                                                            Preview:.google.com.TRUE./.TRUE.1712145003.NID.ENC893*_djEw3+k+F2A/rK1XOX2BXUq6pY2LBCOzoXODiJnrrvDbDsPWiYwKZowg9PxHqkTm37HpwC52rXpnuUFrQMpV3iKtdSHegOm+XguZZ6tGaCY2hGVyR8JgIqQma1WLXyhCiWqjou7/c3qSeaKyNoUKHa4TULX4ZnNNtXFoCuZcBAAy4tYcz+0BF4j/0Pg+MgV+s7367kYcjO4q3zwc+XorjSs7PlgWlYrcc55rCJplhJ+H13M00HIdLm+1t9PACck2xxSWX2DsA61sEDJCHEc=_b3i0u6LLcKCMUaF/UlQgEPSL9PtLZ21CuT1dJkfCzME=*..support.microsoft.com.FALSE./.TRUE.1696413835..AspNetCore.AuthProvider.ENC893*_djEwVWJCCNyFkY3ZM/58ZZ/F/bz9H1yPvi6FOaroXC+KU8E=_b3i0u6LLcKCMUaF/UlQgEPSL9PtLZ21CuT1dJkfCzME=*..support.microsoft.com.TRUE./signin-oidc.TRUE.1696414135..AspNetCore.Correlation.mdRqPJxLbpyv7vX0eK9YkTR-xwcrW3VBLE4Y3HEvxuU.ENC893*_djEwBAKLrkJs5PZ6BD7Beoa9N/bOSh5JtRch10gZT+E=_b3i0u6LLcKCMUaF/UlQgEPSL9PtLZ21CuT1dJkfCzME=*..support.microsoft.com.TRUE./signin-oidc.TRUE.1696414135..AspNetCore.OpenIdConnect.Nonce.CfDJ8Kiuy_B5JgFMo7PeP95NLhqwcJ8koDy5pXkfoWsb5SbbU2hVCbsH2qt9GF_OVCqFkLEwhvzeADNQOF5RSmkDfh5RqfqlOkx5QWo4Lltvwb0CvwBFD8ujlm3BAglOeGca3ZatkLMUkH

                                                                                                                                                                            C:\Users\user\AppData\Local\Temp\adobe39GtSuVzyOuE\information.txt

                                                                                                                                                                            Download File
                                                                                                                                                                            Process:C:\Users\user\Desktop\file.exe
                                                                                                                                                                            File Type:ASCII text, with CRLF, LF line terminators
                                                                                                                                                                            Category:dropped
                                                                                                                                                                            Size (bytes):7225
                                                                                                                                                                            Entropy (8bit):5.581748635754113
                                                                                                                                                                            Encrypted:false
                                                                                                                                                                            SSDEEP:192:xcv9LvAtphWhcBixJsn+VwMcPhhx1kFnhYbMqZBQBNJiba5J2lbduERBobB6sGoG:6ZvAtfWhcBixBynB
                                                                                                                                                                            MD5:CDE00CEC8BA42106ED590EE9C9F9FC74
                                                                                                                                                                            SHA1:AE5DC41A44E823FDD2E56A477A11808C060CC430
                                                                                                                                                                            SHA-256:C9CA068D5EEA772A0D3E7CB31876B39FEB6F4619996A288F11EDA048C0EAF42A
                                                                                                                                                                            SHA-512:5F27DF55B2E6AD82A71DF59DA567E465675131603FECB164EC4FD076D43EFCCB4C17119827FE405E404FA78B32AA195D6381D9B58E41CFE130D81A8982392861
                                                                                                                                                                            Malicious:false
                                                                                                                                                                            Preview:Build: gedro..Version: 1.9....Date: Thu Apr 18 10:29:37 2024.MachineID: 9e146be9-c76a-4720-bcdb-53011b87bd06..GUID: {a33c7340-61ca-11ee-8c18-806e6f6e6963}..HWID: 661ed6a17208b11ac59c6cf1587792ea....Path: C:\Users\user\Desktop\file.exe..Work Dir: C:\Users\user\AppData\Local\Temp\adobe39GtSuVzyOuE....IP: 81.181.57.52..Location: US, Atlanta..ZIP (Autofills): -..Windows: Windows 10 Pro [x64]..Computer Name: 226533 [WORKGROUP]..User Name: user..Display Resolution: 1280x1024..Display Language: en-CH..Keyboard Languages: English (United Kingdom) / English (United Kingdom)..Local Time: 18/4/2024 10:29:37..TimeZone: UTC1....[Hardware]..Processor: Intel(R) Core(TM)2 CPU 6600 @ 2.40 GHz..CPU Count: 4..RAM: 8191 MB..VideoCard #0: Microsoft Basic Display Adapter....[Processes]..System [4]..Registry [92]..smss.exe [324]..csrss.exe [408]..wininit.exe [484]..csrss.exe [492]..winlogon.exe [552]..services.exe [620]..lsass.exe [628]..svchost.exe [752]..fontdrvhost.exe [776]..fontdrvhost.exe [784]..svc

                                                                                                                                                                            C:\Users\user\AppData\Local\Temp\adobe39GtSuVzyOuE\passwords.txt

                                                                                                                                                                            Download File
                                                                                                                                                                            Process:C:\Users\user\Desktop\file.exe
                                                                                                                                                                            File Type:Unicode text, UTF-8 text, with CRLF, LF line terminators
                                                                                                                                                                            Category:dropped
                                                                                                                                                                            Size (bytes):4897
                                                                                                                                                                            Entropy (8bit):2.518316437186352
                                                                                                                                                                            Encrypted:false
                                                                                                                                                                            SSDEEP:48:4MMMMMMMMMMdMMMM1MMMMMMMM1MMMMMMMM1MMMMMMMM1MMMMMMMMMMdMMMMMMMM3:q
                                                                                                                                                                            MD5:B3E9D0E1B8207AA74CB8812BAAF52EAE
                                                                                                                                                                            SHA1:A2DCE0FB6B0BBC955A1E72EF3D87CADCC6E3CC6B
                                                                                                                                                                            SHA-256:4993311FC913771ACB526BB5EF73682EDA69CD31AC14D25502E7BDA578FFA37C
                                                                                                                                                                            SHA-512:B17ADF4AA80CADC581A09C72800DA22F62E5FB32953123F2C513D2E88753C430CC996E82AAE7190C8CB3340FCF2D9E0D759D99D909D2461369275FBE5C68C27A
                                                                                                                                                                            Malicious:false
                                                                                                                                                                            Preview:................................................................................................................................................................................................................................................................................................................................................

                                                                                                                                                                            C:\Users\user\AppData\Local\Temp\adobeIl1ZoQx5ZnY2\Cookies\Chrome_Default.txt

                                                                                                                                                                            Download File
                                                                                                                                                                            Process:C:\Users\user\AppData\Local\RageMP131\RageMP131.exe
                                                                                                                                                                            File Type:ASCII text, with very long lines (769), with CRLF line terminators
                                                                                                                                                                            Category:dropped
                                                                                                                                                                            Size (bytes):6085
                                                                                                                                                                            Entropy (8bit):6.038274200863744
                                                                                                                                                                            Encrypted:false
                                                                                                                                                                            SSDEEP:96:gxsumX/xKO2KbcRfbZJ5Jxjxcx1xcbza5BC126oxgxA26Fxr/CxbTxqCGYURxOeb:gWFXZQHRFJ5Pts7c3avC126Ygb6Lr/WY
                                                                                                                                                                            MD5:ACB5AD34236C58F9F7D219FB628E3B58
                                                                                                                                                                            SHA1:02E39404CA22F1368C46A7B8398F5F6001DB8F5C
                                                                                                                                                                            SHA-256:05E5013B848C2E619226F9E7A084DC7DCD1B3D68EE45108F552DB113D21B49D1
                                                                                                                                                                            SHA-512:5895F39765BA3CEDFD47D57203FD7E716347CD79277EDDCDC83A729A86E2E59F03F0E7B6B0D0E7C7A383755001EDACC82171052BE801E015E6BF7E6B9595767F
                                                                                                                                                                            Malicious:false
                                                                                                                                                                            Preview:.google.com.TRUE./.TRUE.1712145003.NID.ENC893*_djEw3+k+F2A/rK1XOX2BXUq6pY2LBCOzoXODiJnrrvDbDsPWiYwKZowg9PxHqkTm37HpwC52rXpnuUFrQMpV3iKtdSHegOm+XguZZ6tGaCY2hGVyR8JgIqQma1WLXyhCiWqjou7/c3qSeaKyNoUKHa4TULX4ZnNNtXFoCuZcBAAy4tYcz+0BF4j/0Pg+MgV+s7367kYcjO4q3zwc+XorjSs7PlgWlYrcc55rCJplhJ+H13M00HIdLm+1t9PACck2xxSWX2DsA61sEDJCHEc=_b3i0u6LLcKCMUaF/UlQgEPSL9PtLZ21CuT1dJkfCzME=*..support.microsoft.com.FALSE./.TRUE.1696413835..AspNetCore.AuthProvider.ENC893*_djEwVWJCCNyFkY3ZM/58ZZ/F/bz9H1yPvi6FOaroXC+KU8E=_b3i0u6LLcKCMUaF/UlQgEPSL9PtLZ21CuT1dJkfCzME=*..support.microsoft.com.TRUE./signin-oidc.TRUE.1696414135..AspNetCore.Correlation.mdRqPJxLbpyv7vX0eK9YkTR-xwcrW3VBLE4Y3HEvxuU.ENC893*_djEwBAKLrkJs5PZ6BD7Beoa9N/bOSh5JtRch10gZT+E=_b3i0u6LLcKCMUaF/UlQgEPSL9PtLZ21CuT1dJkfCzME=*..support.microsoft.com.TRUE./signin-oidc.TRUE.1696414135..AspNetCore.OpenIdConnect.Nonce.CfDJ8Kiuy_B5JgFMo7PeP95NLhqwcJ8koDy5pXkfoWsb5SbbU2hVCbsH2qt9GF_OVCqFkLEwhvzeADNQOF5RSmkDfh5RqfqlOkx5QWo4Lltvwb0CvwBFD8ujlm3BAglOeGca3ZatkLMUkH

                                                                                                                                                                            C:\Users\user\AppData\Local\Temp\adobeIl1ZoQx5ZnY2\information.txt

                                                                                                                                                                            Download File
                                                                                                                                                                            Process:C:\Users\user\AppData\Local\RageMP131\RageMP131.exe
                                                                                                                                                                            File Type:ASCII text, with CRLF, LF line terminators
                                                                                                                                                                            Category:dropped
                                                                                                                                                                            Size (bytes):7232
                                                                                                                                                                            Entropy (8bit):5.583585926053725
                                                                                                                                                                            Encrypted:false
                                                                                                                                                                            SSDEEP:192:xLvlvAtphWhcBwxJsn+VwMcPhhx1kFnhYbMqZBQBNJiba5J2lbduERBobB6sGoSU:hlvAtfWhcBwxByQB
                                                                                                                                                                            MD5:CE144F3C6C6E26BBE4709CD6D5AC6CAB
                                                                                                                                                                            SHA1:411AF728CFA656C836F81BCF43744A49E40A4376
                                                                                                                                                                            SHA-256:F5603CF8A67D97F7FCD23E7C62019BFBA3D465C69EB6BACE2021236B1DE3A538
                                                                                                                                                                            SHA-512:C3DD4A5A9CB3AC5313F0915DAE098A7B9A8321509A2A39E0626F7772293F93CFF5EB5D809505A1F5DF7CF31864D8D18754634371C97F9DC3B16B9EA3441A6BF5
                                                                                                                                                                            Malicious:false
                                                                                                                                                                            Preview:Build: gedro..Version: 1.9....Date: Thu Apr 18 10:29:51 2024.MachineID: 9e146be9-c76a-4720-bcdb-53011b87bd06..GUID: {a33c7340-61ca-11ee-8c18-806e6f6e6963}..HWID: 661ed6a17208b11ac59c6cf1587792ea....Path: C:\Users\user\AppData\Local\RageMP131\RageMP131.exe..Work Dir: C:\Users\user\AppData\Local\Temp\adobeIl1ZoQx5ZnY2....IP: 81.181.57.52..Location: US, Atlanta..ZIP (Autofills): -..Windows: Windows 10 Pro [x64]..Computer Name: 226533 [WORKGROUP]..User Name: user..Display Resolution: 1280x1024..Display Language: en-CH..Keyboard Languages: English (United Kingdom) / English (United Kingdom)..Local Time: 18/4/2024 10:29:51..TimeZone: UTC1....[Hardware]..Processor: Intel(R) Core(TM)2 CPU 6600 @ 2.40 GHz..CPU Count: 4..RAM: 8191 MB..VideoCard #0: Microsoft Basic Display Adapter....[Processes]..System [4]..Registry [92]..smss.exe [324]..csrss.exe [408]..wininit.exe [484]..csrss.exe [492]..winlogon.exe [552]..services.exe [620]..lsass.exe [628]..svchost.exe [752]..fontdrvhost.exe [776]..fontd

                                                                                                                                                                            C:\Users\user\AppData\Local\Temp\adobeIl1ZoQx5ZnY2\passwords.txt

                                                                                                                                                                            Download File
                                                                                                                                                                            Process:C:\Users\user\AppData\Local\RageMP131\RageMP131.exe
                                                                                                                                                                            File Type:Unicode text, UTF-8 text, with CRLF, LF line terminators
                                                                                                                                                                            Category:dropped
                                                                                                                                                                            Size (bytes):4897
                                                                                                                                                                            Entropy (8bit):2.518316437186352
                                                                                                                                                                            Encrypted:false
                                                                                                                                                                            SSDEEP:48:4MMMMMMMMMMdMMMM1MMMMMMMM1MMMMMMMM1MMMMMMMM1MMMMMMMMMMdMMMMMMMM3:q
                                                                                                                                                                            MD5:B3E9D0E1B8207AA74CB8812BAAF52EAE
                                                                                                                                                                            SHA1:A2DCE0FB6B0BBC955A1E72EF3D87CADCC6E3CC6B
                                                                                                                                                                            SHA-256:4993311FC913771ACB526BB5EF73682EDA69CD31AC14D25502E7BDA578FFA37C
                                                                                                                                                                            SHA-512:B17ADF4AA80CADC581A09C72800DA22F62E5FB32953123F2C513D2E88753C430CC996E82AAE7190C8CB3340FCF2D9E0D759D99D909D2461369275FBE5C68C27A
                                                                                                                                                                            Malicious:false
                                                                                                                                                                            Preview:................................................................................................................................................................................................................................................................................................................................................

                                                                                                                                                                            C:\Users\user\AppData\Local\Temp\adobesyO6NvG6vZji\Cookies\Chrome_Default.txt

                                                                                                                                                                            Download File
                                                                                                                                                                            Process:C:\Users\user\AppData\Local\RageMP131\RageMP131.exe
                                                                                                                                                                            File Type:ASCII text, with very long lines (769), with CRLF line terminators
                                                                                                                                                                            Category:dropped
                                                                                                                                                                            Size (bytes):6085
                                                                                                                                                                            Entropy (8bit):6.038274200863744
                                                                                                                                                                            Encrypted:false
                                                                                                                                                                            SSDEEP:96:gxsumX/xKO2KbcRfbZJ5Jxjxcx1xcbza5BC126oxgxA26Fxr/CxbTxqCGYURxOeb:gWFXZQHRFJ5Pts7c3avC126Ygb6Lr/WY
                                                                                                                                                                            MD5:ACB5AD34236C58F9F7D219FB628E3B58
                                                                                                                                                                            SHA1:02E39404CA22F1368C46A7B8398F5F6001DB8F5C
                                                                                                                                                                            SHA-256:05E5013B848C2E619226F9E7A084DC7DCD1B3D68EE45108F552DB113D21B49D1
                                                                                                                                                                            SHA-512:5895F39765BA3CEDFD47D57203FD7E716347CD79277EDDCDC83A729A86E2E59F03F0E7B6B0D0E7C7A383755001EDACC82171052BE801E015E6BF7E6B9595767F
                                                                                                                                                                            Malicious:false
                                                                                                                                                                            Preview:.google.com.TRUE./.TRUE.1712145003.NID.ENC893*_djEw3+k+F2A/rK1XOX2BXUq6pY2LBCOzoXODiJnrrvDbDsPWiYwKZowg9PxHqkTm37HpwC52rXpnuUFrQMpV3iKtdSHegOm+XguZZ6tGaCY2hGVyR8JgIqQma1WLXyhCiWqjou7/c3qSeaKyNoUKHa4TULX4ZnNNtXFoCuZcBAAy4tYcz+0BF4j/0Pg+MgV+s7367kYcjO4q3zwc+XorjSs7PlgWlYrcc55rCJplhJ+H13M00HIdLm+1t9PACck2xxSWX2DsA61sEDJCHEc=_b3i0u6LLcKCMUaF/UlQgEPSL9PtLZ21CuT1dJkfCzME=*..support.microsoft.com.FALSE./.TRUE.1696413835..AspNetCore.AuthProvider.ENC893*_djEwVWJCCNyFkY3ZM/58ZZ/F/bz9H1yPvi6FOaroXC+KU8E=_b3i0u6LLcKCMUaF/UlQgEPSL9PtLZ21CuT1dJkfCzME=*..support.microsoft.com.TRUE./signin-oidc.TRUE.1696414135..AspNetCore.Correlation.mdRqPJxLbpyv7vX0eK9YkTR-xwcrW3VBLE4Y3HEvxuU.ENC893*_djEwBAKLrkJs5PZ6BD7Beoa9N/bOSh5JtRch10gZT+E=_b3i0u6LLcKCMUaF/UlQgEPSL9PtLZ21CuT1dJkfCzME=*..support.microsoft.com.TRUE./signin-oidc.TRUE.1696414135..AspNetCore.OpenIdConnect.Nonce.CfDJ8Kiuy_B5JgFMo7PeP95NLhqwcJ8koDy5pXkfoWsb5SbbU2hVCbsH2qt9GF_OVCqFkLEwhvzeADNQOF5RSmkDfh5RqfqlOkx5QWo4Lltvwb0CvwBFD8ujlm3BAglOeGca3ZatkLMUkH

                                                                                                                                                                            C:\Users\user\AppData\Local\Temp\adobesyO6NvG6vZji\information.txt

                                                                                                                                                                            Download File
                                                                                                                                                                            Process:C:\Users\user\AppData\Local\RageMP131\RageMP131.exe
                                                                                                                                                                            File Type:ASCII text, with CRLF, LF line terminators
                                                                                                                                                                            Category:dropped
                                                                                                                                                                            Size (bytes):7107
                                                                                                                                                                            Entropy (8bit):5.581686196717814
                                                                                                                                                                            Encrypted:false
                                                                                                                                                                            SSDEEP:192:xbvUvAtphWhcBwJsn+VwMcPhhx1kFnhYbMqZBQBNJiba5J2lbduERBobB6sGoSJ5:JUvAtfWhcBwBKB
                                                                                                                                                                            MD5:905A6E3D234FE37E59D18C45B27B66A4
                                                                                                                                                                            SHA1:8FC75A8DFCB46BC412F43F7DEE858D68D7FA959E
                                                                                                                                                                            SHA-256:5D5B82E5D321731056D174A5F687C0B2B2D1423C1676EE5DB29C2DB43D0ADAD7
                                                                                                                                                                            SHA-512:FCC6737AF83B1B1E652CB5ACC2C14FEDEEFFCD8364AA5479A4AE49DDE7382A1BCABC43307FD8D327D81187766F226354C1492EB391F27F1F34DFC3588EF17357
                                                                                                                                                                            Malicious:false
                                                                                                                                                                            Preview:Build: gedro..Version: 1.9....Date: Thu Apr 18 10:30:16 2024.MachineID: 9e146be9-c76a-4720-bcdb-53011b87bd06..GUID: {a33c7340-61ca-11ee-8c18-806e6f6e6963}..HWID: 661ed6a17208b11ac59c6cf1587792ea....Path: C:\Users\user\AppData\Local\RageMP131\RageMP131.exe..Work Dir: C:\Users\user\AppData\Local\Temp\adobesyO6NvG6vZji....IP: 81.181.57.52..Location: US, Atlanta..ZIP (Autofills): -..Windows: Windows 10 Pro [x64]..Computer Name: 226533 [WORKGROUP]..User Name: user..Display Resolution: 1280x1024..Display Language: en-CH..Keyboard Languages: English (United Kingdom) / English (United Kingdom)..Local Time: 18/4/2024 10:30:16..TimeZone: UTC1....[Hardware]..Processor: Intel(R) Core(TM)2 CPU 6600 @ 2.40 GHz..CPU Count: 4..RAM: 8191 MB..VideoCard #0: Microsoft Basic Display Adapter....[Processes]..System [4]..Registry [92]..smss.exe [324]..csrss.exe [408]..wininit.exe [484]..csrss.exe [492]..winlogon.exe [552]..services.exe [620]..lsass.exe [628]..svchost.exe [752]..fontdrvhost.exe [776]..fontd

                                                                                                                                                                            C:\Users\user\AppData\Local\Temp\adobesyO6NvG6vZji\passwords.txt

                                                                                                                                                                            Download File
                                                                                                                                                                            Process:C:\Users\user\AppData\Local\RageMP131\RageMP131.exe
                                                                                                                                                                            File Type:Unicode text, UTF-8 text, with CRLF, LF line terminators
                                                                                                                                                                            Category:dropped
                                                                                                                                                                            Size (bytes):4897
                                                                                                                                                                            Entropy (8bit):2.518316437186352
                                                                                                                                                                            Encrypted:false
                                                                                                                                                                            SSDEEP:48:4MMMMMMMMMMdMMMM1MMMMMMMM1MMMMMMMM1MMMMMMMM1MMMMMMMMMMdMMMMMMMM3:q
                                                                                                                                                                            MD5:B3E9D0E1B8207AA74CB8812BAAF52EAE
                                                                                                                                                                            SHA1:A2DCE0FB6B0BBC955A1E72EF3D87CADCC6E3CC6B
                                                                                                                                                                            SHA-256:4993311FC913771ACB526BB5EF73682EDA69CD31AC14D25502E7BDA578FFA37C
                                                                                                                                                                            SHA-512:B17ADF4AA80CADC581A09C72800DA22F62E5FB32953123F2C513D2E88753C430CC996E82AAE7190C8CB3340FCF2D9E0D759D99D909D2461369275FBE5C68C27A
                                                                                                                                                                            Malicious:false
                                                                                                                                                                            Preview:................................................................................................................................................................................................................................................................................................................................................

                                                                                                                                                                            C:\Users\user\AppData\Local\Temp\dSyaNbAby9QXs4RBu3VN33H.zip

                                                                                                                                                                            Download File
                                                                                                                                                                            Process:C:\Users\user\AppData\Local\RageMP131\RageMP131.exe
                                                                                                                                                                            File Type:Zip archive data, at least v2.0 to extract, compression method=deflate
                                                                                                                                                                            Category:dropped
                                                                                                                                                                            Size (bytes):5582
                                                                                                                                                                            Entropy (8bit):7.899541020398721
                                                                                                                                                                            Encrypted:false
                                                                                                                                                                            SSDEEP:96:AWbWGzqeAoMq+YK0KF8cAJiI2i+uCfJOZr+8v1SN8bioz3KJZIu9+:AWnqASpF8wF7gENNG3z6JZIu9+
                                                                                                                                                                            MD5:04F9600721DCCCE7402E930A3A7D1753
                                                                                                                                                                            SHA1:C3D1F20434A9D47067F5903BD60DAF6619E3A799
                                                                                                                                                                            SHA-256:282921443088D2F851B5AB05A59782FB6619A56B2DDBB84604759433E8CDE6C7
                                                                                                                                                                            SHA-512:CBB1E2D3895374A5817FD9F2F9083F27B9B53D9B3490B922D175C8956AFA9A6D81712ED20EDCF91ACE951921E5E3ADA1AF230B26B089A7F0F3D3ED262E9943D7
                                                                                                                                                                            Malicious:true
                                                                                                                                                                            Yara Hits:
                                                                                                                                                                            • Rule: JoeSecurity_RiseProStealer, Description: Yara detected RisePro Stealer, Source: C:\Users\user\AppData\Local\Temp\dSyaNbAby9QXs4RBu3VN33H.zip, Author: Joe Security
                                                                                                                                                                            Preview:PK.........S.X................Cookies\..PK.........S.XQn.+............Cookies\Chrome_Default.txt.G..r...U.#.5C.....s$..-.D...7.\..$.G.)o....:....Z.C.f_..pm............"..t..t....}.k.@...a.2+P`.0.x.>....s..k%.._..b..P..((......B.....`.7..-m..JY..F....E.*.l.....I..&.....<J..M.......,V...)b.....Q..k......M?.5L....h}......X..'.0..tB.G...\;.a....4.......B4.......J.4.6.y:....4.-.UfE...3A*p.U5UX....Z.g:*e.j.C..Bw..........e..a^.vU:....$..U......B..`._.e.....+...9.{u...7.e...H.]02...%yR".0...x...P<..N....R.}....{.G...;..c..x...kw.'S>.d|.....B..k.9.t.!>.rh...~n.[....s#/....`.!..Kb8%&.vZB`....O|.....>K......L*...d0..03..t...T&.......`N.xp.."..J.......Q.....c..5...).Z.91.6.j..G.....Wr...a.52!..(^.U.....6....dB.D.^...7..0H.\J9.H.$^`e"..d...\....B.8Z=.qeP.3Y.>..'W.X..T..>z...,..K......g....%B.w4#...;.[]u|....v...3.;L..U?..b.....u..*..... .......F...P.a...|R*3.=......r.:.64...#D..^..>.A..ZT.]E........t...f...1..3.....`...X.....C.]%...p.p.ym

                                                                                                                                                                            C:\Users\user\AppData\Local\Temp\e_uwnYJDOrnylP4tGD1vKSo.zip

                                                                                                                                                                            Download File
                                                                                                                                                                            Process:C:\Users\user\Desktop\file.exe
                                                                                                                                                                            File Type:Zip archive data, at least v2.0 to extract, compression method=deflate
                                                                                                                                                                            Category:modified
                                                                                                                                                                            Size (bytes):5593
                                                                                                                                                                            Entropy (8bit):7.900832209911
                                                                                                                                                                            Encrypted:false
                                                                                                                                                                            SSDEEP:96:5WGzqeAoMq+YK0KF8cAJiI2i+uOazEgwNElP0y2VEycQH3KJF:NqASpF8wFZfgduEZ66JF
                                                                                                                                                                            MD5:7DF263E0DF8C1A89B3E776E49343389B
                                                                                                                                                                            SHA1:A015ED514C291D1E5081E18FB83427F60B120D1A
                                                                                                                                                                            SHA-256:75CCD93FBC1FA8C552E00875E62B04B77CEA5B80A650C29314C830D7109543E4
                                                                                                                                                                            SHA-512:EA36E5F0143CC72750594BBFC1A4785135AB84CC4D597F93AF7650366030B331CFD6FDCDF35C5BD9C7AA9D34552FF33845A3B3FF2E8752192C3D2817474B67AE
                                                                                                                                                                            Malicious:true
                                                                                                                                                                            Yara Hits:
                                                                                                                                                                            • Rule: JoeSecurity_RiseProStealer, Description: Yara detected RisePro Stealer, Source: C:\Users\user\AppData\Local\Temp\e_uwnYJDOrnylP4tGD1vKSo.zip, Author: Joe Security
                                                                                                                                                                            Preview:PK.........S.X................Cookies\..PK.........S.XQn.+............Cookies\Chrome_Default.txt.G..r...U.#.5C.....s$..-.D...7.\..$.G.)o....:....Z.C.f_..pm............"..t..t....}.k.@...a.2+P`.0.x.>....s..k%.._..b..P..((......B.....`.7..-m..JY..F....E.*.l.....I..&.....<J..M.......,V...)b.....Q..k......M?.5L....h}......X..'.0..tB.G...\;.a....4.......B4.......J.4.6.y:....4.-.UfE...3A*p.U5UX....Z.g:*e.j.C..Bw..........e..a^.vU:....$..U......B..`._.e.....+...9.{u...7.e...H.]02...%yR".0...x...P<..N....R.}....{.G...;..c..x...kw.'S>.d|.....B..k.9.t.!>.rh...~n.[....s#/....`.!..Kb8%&.vZB`....O|.....>K......L*...d0..03..t...T&.......`N.xp.."..J.......Q.....c..5...).Z.91.6.j..G.....Wr...a.52!..(^.U.....6....dB.D.^...7..0H.\J9.H.$^`e"..d...\....B.8Z=.qeP.3Y.>..'W.X..T..>z...,..K......g....%B.w4#...;.[]u|....v...3.;L..U?..b.....u..*..... .......F...P.a...|R*3.=......r.:.64...#D..^..>.A..ZT.]E........t...f...1..3.....`...X.....C.]%...p.p.ym

                                                                                                                                                                            C:\Users\user\AppData\Local\Temp\heidi39GtSuVzyOuE\02zdBXl47cvzcookies.sqlite

                                                                                                                                                                            Download File
                                                                                                                                                                            Process:C:\Users\user\Desktop\file.exe
                                                                                                                                                                            File Type:SQLite 3.x database, user version 12, last written using SQLite version 3042000, page size 32768, writer version 2, read version 2, file counter 3, database pages 3, cookie 0x1, schema 4, UTF-8, version-valid-for 3
                                                                                                                                                                            Category:dropped
                                                                                                                                                                            Size (bytes):98304
                                                                                                                                                                            Entropy (8bit):0.08235737944063153
                                                                                                                                                                            Encrypted:false
                                                                                                                                                                            SSDEEP:12:DQAsfWk73Fmdmc/OPVJXfPNn43etRRfYR5O8atLqxeYaNcDakMG/lO:DQAsff32mNVpP965Ra8KN0MG/lO
                                                                                                                                                                            MD5:369B6DD66F1CAD49D0952C40FEB9AD41
                                                                                                                                                                            SHA1:D05B2DE29433FB113EC4C558FF33087ED7481DD4
                                                                                                                                                                            SHA-256:14150D582B5321D91BDE0841066312AB3E6673CA51C982922BC293B82527220D
                                                                                                                                                                            SHA-512:771054845B27274054B6C73776204C235C46E0C742ECF3E2D9B650772BA5D259C8867B2FA92C3A9413D3E1AD35589D8431AC683DF84A53E13CDE361789045928
                                                                                                                                                                            Malicious:false
                                                                                                                                                                            Preview:SQLite format 3......@ ..........................................................................j......}..}...........................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

                                                                                                                                                                            C:\Users\user\AppData\Local\Temp\heidi39GtSuVzyOuE\2_TMjP6pWvYDLogin Data

                                                                                                                                                                            Download File
                                                                                                                                                                            Process:C:\Users\user\Desktop\file.exe
                                                                                                                                                                            File Type:SQLite 3.x database, last written using SQLite version 3042000, page size 2048, file counter 1, database pages 20, cookie 0xb, schema 4, UTF-8, version-valid-for 1
                                                                                                                                                                            Category:dropped
                                                                                                                                                                            Size (bytes):40960
                                                                                                                                                                            Entropy (8bit):0.8553638852307782
                                                                                                                                                                            Encrypted:false
                                                                                                                                                                            SSDEEP:48:2x7BA+IIF7CVEq8Ma0D0HOlf/6ykwp1EUwMHZq10bvJKLkw8s8LKvUf9KVyJ7h/f:QNDCn8MouB6wz8iZqmvJKLPeymwil
                                                                                                                                                                            MD5:28222628A3465C5F0D4B28F70F97F482
                                                                                                                                                                            SHA1:1BAA3DEB7DFD7C9B4CA9FDB540F236C24917DD14
                                                                                                                                                                            SHA-256:93A6AF6939B17143531FA4474DFC564FA55359308B910E6F0DCA774D322C9BE4
                                                                                                                                                                            SHA-512:C8FB93F658C1A654186FA6AA2039E40791E6B0A1260B223272BB01279A7B574E238B28217DADF3E1850C7083ADFA2FE5DA0CCE6F9BCABD59E1FFD1061B3A88F7
                                                                                                                                                                            Malicious:false
                                                                                                                                                                            Preview:SQLite format 3......@ ..........................................................................j.....................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

                                                                                                                                                                            C:\Users\user\AppData\Local\Temp\heidi39GtSuVzyOuE\3b6N2Xdh3CYwplaces.sqlite

                                                                                                                                                                            Download File
                                                                                                                                                                            Process:C:\Users\user\Desktop\file.exe
                                                                                                                                                                            File Type:SQLite 3.x database, user version 75, last written using SQLite version 3042000, page size 32768, writer version 2, read version 2, file counter 2, database pages 46, cookie 0x26, schema 4, UTF-8, version-valid-for 2
                                                                                                                                                                            Category:dropped
                                                                                                                                                                            Size (bytes):5242880
                                                                                                                                                                            Entropy (8bit):0.037963276276857943
                                                                                                                                                                            Encrypted:false
                                                                                                                                                                            SSDEEP:192:58rJQaXoMXp0VW9FxWZWdgokBQNba9D3DO/JxW/QHI:58r54w0VW3xWZWdOBQFal3dQ
                                                                                                                                                                            MD5:C0FDF21AE11A6D1FA1201D502614B622
                                                                                                                                                                            SHA1:11724034A1CC915B061316A96E79E9DA6A00ADE8
                                                                                                                                                                            SHA-256:FD4EB46C81D27A9B3669C0D249DF5CE2B49E5F37B42F917CA38AB8831121ADAC
                                                                                                                                                                            SHA-512:A6147C196B033725018C7F28C1E75E20C2113A0C6D8172F5EABCB8FF334EA6CE10B758FFD1D22D50B4DB5A0A21BCC15294AC44E94D973F7A3EB9F8558F31769B
                                                                                                                                                                            Malicious:false
                                                                                                                                                                            Preview:SQLite format 3......@ ...................&...................K..................................j.....-a>.~...|0{dz.z.z"y.y3x.xKw.v.u.uGt.t;sAs.q.p.q.p{o.ohn.nem.n,m9l.k.lPj.j.h.h.g.d.c.c6b.b.a.a>..................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

                                                                                                                                                                            C:\Users\user\AppData\Local\Temp\heidi39GtSuVzyOuE\9zMbGEqpE5COLogin Data

                                                                                                                                                                            Download File
                                                                                                                                                                            Process:C:\Users\user\Desktop\file.exe
                                                                                                                                                                            File Type:SQLite 3.x database, last written using SQLite version 3035005, page size 2048, file counter 1, database pages 24, cookie 0xe, schema 4, UTF-8, version-valid-for 1
                                                                                                                                                                            Category:dropped
                                                                                                                                                                            Size (bytes):49152
                                                                                                                                                                            Entropy (8bit):0.8180424350137764
                                                                                                                                                                            Encrypted:false
                                                                                                                                                                            SSDEEP:96:uRMKLyeymwxCn8MZyFlSynlbiXyKwt8hG:uRkxGOXnlbibhG
                                                                                                                                                                            MD5:349E6EB110E34A08924D92F6B334801D
                                                                                                                                                                            SHA1:BDFB289DAFF51890CC71697B6322AA4B35EC9169
                                                                                                                                                                            SHA-256:C9FD7BE4579E4AA942E8C2B44AB10115FA6C2FE6AFD0C584865413D9D53F3B2A
                                                                                                                                                                            SHA-512:2A635B815A5E117EA181EE79305EE1BAF591459427ACC5210D8C6C7E447BE3513EAD871C605EB3D32E4AB4111B2A335F26520D0EF8C1245A4AF44E1FAEC44574
                                                                                                                                                                            Malicious:false
                                                                                                                                                                            Preview:SQLite format 3......@ ..........................................................................O}....................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

                                                                                                                                                                            C:\Users\user\AppData\Local\Temp\heidi39GtSuVzyOuE\BOV292H0mxgEHistory

                                                                                                                                                                            Download File
                                                                                                                                                                            Process:C:\Users\user\Desktop\file.exe
                                                                                                                                                                            File Type:SQLite 3.x database, last written using SQLite version 3035005, file counter 2, database pages 31, cookie 0x18, schema 4, UTF-8, version-valid-for 2
                                                                                                                                                                            Category:dropped
                                                                                                                                                                            Size (bytes):126976
                                                                                                                                                                            Entropy (8bit):0.47147045728725767
                                                                                                                                                                            Encrypted:false
                                                                                                                                                                            SSDEEP:96:/WU+bDoYysX0uhnyTpvVjN9DLjGQLBE3u:/l+bDo3irhnyTpvVj3XBBE3u
                                                                                                                                                                            MD5:A2D1F4CF66465F9F0CAC61C4A95C7EDE
                                                                                                                                                                            SHA1:BA6A845E247B221AAEC96C4213E1FD3744B10A27
                                                                                                                                                                            SHA-256:B510DF8D67E38DCAE51FE97A3924228AD37CF823999FD3BC6BA44CA6535DE8FE
                                                                                                                                                                            SHA-512:C571E5125C005EAC0F0B72B5F132AE03783AF8D621BFA32B366B0E8A825EF8F65E33CD330E42BDC722BFA012E3447A7218F05FDD4A5AD855C1CA22DFA2F79838
                                                                                                                                                                            Malicious:false
                                                                                                                                                                            Preview:SQLite format 3......@ ..........................................................................O}....................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

                                                                                                                                                                            C:\Users\user\AppData\Local\Temp\heidi39GtSuVzyOuE\D87fZN3R3jFeplaces.sqlite

                                                                                                                                                                            Download File
                                                                                                                                                                            Process:C:\Users\user\Desktop\file.exe
                                                                                                                                                                            File Type:SQLite 3.x database, user version 75, last written using SQLite version 3042000, page size 32768, writer version 2, read version 2, file counter 2, database pages 46, cookie 0x26, schema 4, UTF-8, version-valid-for 2
                                                                                                                                                                            Category:dropped
                                                                                                                                                                            Size (bytes):5242880
                                                                                                                                                                            Entropy (8bit):0.037963276276857943
                                                                                                                                                                            Encrypted:false
                                                                                                                                                                            SSDEEP:192:58rJQaXoMXp0VW9FxWZWdgokBQNba9D3DO/JxW/QHI:58r54w0VW3xWZWdOBQFal3dQ
                                                                                                                                                                            MD5:C0FDF21AE11A6D1FA1201D502614B622
                                                                                                                                                                            SHA1:11724034A1CC915B061316A96E79E9DA6A00ADE8
                                                                                                                                                                            SHA-256:FD4EB46C81D27A9B3669C0D249DF5CE2B49E5F37B42F917CA38AB8831121ADAC
                                                                                                                                                                            SHA-512:A6147C196B033725018C7F28C1E75E20C2113A0C6D8172F5EABCB8FF334EA6CE10B758FFD1D22D50B4DB5A0A21BCC15294AC44E94D973F7A3EB9F8558F31769B
                                                                                                                                                                            Malicious:false
                                                                                                                                                                            Preview:SQLite format 3......@ ...................&...................K..................................j.....-a>.~...|0{dz.z.z"y.y3x.xKw.v.u.uGt.t;sAs.q.p.q.p{o.ohn.nem.n,m9l.k.lPj.j.h.h.g.d.c.c6b.b.a.a>..................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

                                                                                                                                                                            C:\Users\user\AppData\Local\Temp\heidi39GtSuVzyOuE\FxAu1a1JDtB8Web Data

                                                                                                                                                                            Download File
                                                                                                                                                                            Process:C:\Users\user\Desktop\file.exe
                                                                                                                                                                            File Type:SQLite 3.x database, last written using SQLite version 3042000, page size 2048, file counter 3, database pages 52, cookie 0x21, schema 4, UTF-8, version-valid-for 3
                                                                                                                                                                            Category:dropped
                                                                                                                                                                            Size (bytes):106496
                                                                                                                                                                            Entropy (8bit):1.1358696453229276
                                                                                                                                                                            Encrypted:false
                                                                                                                                                                            SSDEEP:192:ZWTblyVZTnGtgTgabTanQeZVuSVumZa6c5/w4:MnlyfnGtxnfVuSVumEH544
                                                                                                                                                                            MD5:28591AA4E12D1C4FC761BE7C0A468622
                                                                                                                                                                            SHA1:BC4968A84C19377D05A8BB3F208FBFAC49F4820B
                                                                                                                                                                            SHA-256:51624D124EFA3EE31EF43CB3D9ECFE98254D629957063747F4CA7061543B14B9
                                                                                                                                                                            SHA-512:5DDC8C36538AB1415637B2FF6C35AED3A94639A0C2B0A36E256A1C4477AA5A356813D1368913BA3B6E8B770625CDCB94EE7BFC17FD7D324982CFE3BDEC2D32EB
                                                                                                                                                                            Malicious:false
                                                                                                                                                                            Preview:SQLite format 3......@ .......4...........!......................................................j............1........................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

                                                                                                                                                                            C:\Users\user\AppData\Local\Temp\heidi39GtSuVzyOuE\HeifOucJlv60Web Data

                                                                                                                                                                            Download File
                                                                                                                                                                            Process:C:\Users\user\Desktop\file.exe
                                                                                                                                                                            File Type:SQLite 3.x database, last written using SQLite version 3035005, page size 2048, file counter 2, database pages 56, cookie 0x24, schema 4, UTF-8, version-valid-for 2
                                                                                                                                                                            Category:dropped
                                                                                                                                                                            Size (bytes):114688
                                                                                                                                                                            Entropy (8bit):0.9746603542602881
                                                                                                                                                                            Encrypted:false
                                                                                                                                                                            SSDEEP:192:CwbUJ6IH9xhomnGCTjHbRjCLqtzKWJaW:CfJ6a9xpnQLqtzKWJn
                                                                                                                                                                            MD5:780853CDDEAEE8DE70F28A4B255A600B
                                                                                                                                                                            SHA1:AD7A5DA33F7AD12946153C497E990720B09005ED
                                                                                                                                                                            SHA-256:1055FF62DE3DEA7645C732583242ADF4164BDCFB9DD37D9B35BBB9510D59B0A3
                                                                                                                                                                            SHA-512:E422863112084BB8D11C682482E780CD63C2F20C8E3A93ED3B9EFD1B04D53EB5D3C8081851CA89B74D66F3D9AB48EB5F6C74550484F46E7C6E460A8250C9B1D8
                                                                                                                                                                            Malicious:false
                                                                                                                                                                            Preview:SQLite format 3......@ .......8...........$......................................................O}...........4........................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

                                                                                                                                                                            C:\Users\user\AppData\Local\Temp\heidi39GtSuVzyOuE\IcPAi7xok6iaHistory

                                                                                                                                                                            Download File
                                                                                                                                                                            Process:C:\Users\user\Desktop\file.exe
                                                                                                                                                                            File Type:SQLite 3.x database, last written using SQLite version 3042000, file counter 4, database pages 39, cookie 0x20, schema 4, UTF-8, version-valid-for 4
                                                                                                                                                                            Category:dropped
                                                                                                                                                                            Size (bytes):159744
                                                                                                                                                                            Entropy (8bit):0.7873599747470391
                                                                                                                                                                            Encrypted:false
                                                                                                                                                                            SSDEEP:96:pn6pld6px0c2EDKFm5wTmN8ewmdaDKFmJ4ee7vuejzH+bF+UIYysX0IxQzh/tsVL:8Ys3QMmRtH+bF+UI3iN0RSV0k3qLyj9v
                                                                                                                                                                            MD5:6A6BAD38068B0F6F2CADC6464C4FE8F0
                                                                                                                                                                            SHA1:4E3B235898D8E900548613DDB6EA59CDA5EB4E68
                                                                                                                                                                            SHA-256:0998615B274171FC74AAB4E70FD355AF513186B74A4EB07AAA883782E6497982
                                                                                                                                                                            SHA-512:BFE41E5AB5851C92308A097FE9DA4F215875AC2C7D7A483B066585071EE6086B5A7BE6D80CEC18027A3B88AA5C0A477730B22A41406A6AB344FCD9C659B9CB0A
                                                                                                                                                                            Malicious:false
                                                                                                                                                                            Preview:SQLite format 3......@ .......'........... ......................................................j.....................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

                                                                                                                                                                            C:\Users\user\AppData\Local\Temp\heidi39GtSuVzyOuE\M94FW15qXt05Cookies

                                                                                                                                                                            Download File
                                                                                                                                                                            Process:C:\Users\user\Desktop\file.exe
                                                                                                                                                                            File Type:SQLite 3.x database, last written using SQLite version 3042000, file counter 11, database pages 7, cookie 0x3, schema 4, UTF-8, version-valid-for 11
                                                                                                                                                                            Category:dropped
                                                                                                                                                                            Size (bytes):28672
                                                                                                                                                                            Entropy (8bit):2.5793180405395284
                                                                                                                                                                            Encrypted:false
                                                                                                                                                                            SSDEEP:96:/xealJiylsMjLslk5nYPphZEhcR2hO2mOeVgN8tmKqWkh3qzRk4PeOhZ3hcR1hOI:/xGZR8wbtxq5uWRHKloIN7YItnb6Ggz
                                                                                                                                                                            MD5:41EA9A4112F057AE6BA17E2838AEAC26
                                                                                                                                                                            SHA1:F2B389103BFD1A1A050C4857A995B09FEAFE8903
                                                                                                                                                                            SHA-256:CE84656EAEFC842355D668E7141F84383D3A0C819AE01B26A04F9021EF0AC9DB
                                                                                                                                                                            SHA-512:29E848AD16D458F81D8C4F4E288094B4CFC103AD99B4511ED1A4846542F9128736A87AAC5F4BFFBEFE7DF99A05EB230911EDCE99FEE3877DEC130C2781962103
                                                                                                                                                                            Malicious:false
                                                                                                                                                                            Preview:SQLite format 3......@ ..........................................................................j..........g...$......................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

                                                                                                                                                                            C:\Users\user\AppData\Local\Temp\heidi39GtSuVzyOuE\QkoBCD2tTFlpHistory

                                                                                                                                                                            Download File
                                                                                                                                                                            Process:C:\Users\user\Desktop\file.exe
                                                                                                                                                                            File Type:SQLite 3.x database, last written using SQLite version 3042000, file counter 4, database pages 39, cookie 0x20, schema 4, UTF-8, version-valid-for 4
                                                                                                                                                                            Category:dropped
                                                                                                                                                                            Size (bytes):159744
                                                                                                                                                                            Entropy (8bit):0.7873599747470391
                                                                                                                                                                            Encrypted:false
                                                                                                                                                                            SSDEEP:96:pn6pld6px0c2EDKFm5wTmN8ewmdaDKFmJ4ee7vuejzH+bF+UIYysX0IxQzh/tsVL:8Ys3QMmRtH+bF+UI3iN0RSV0k3qLyj9v
                                                                                                                                                                            MD5:6A6BAD38068B0F6F2CADC6464C4FE8F0
                                                                                                                                                                            SHA1:4E3B235898D8E900548613DDB6EA59CDA5EB4E68
                                                                                                                                                                            SHA-256:0998615B274171FC74AAB4E70FD355AF513186B74A4EB07AAA883782E6497982
                                                                                                                                                                            SHA-512:BFE41E5AB5851C92308A097FE9DA4F215875AC2C7D7A483B066585071EE6086B5A7BE6D80CEC18027A3B88AA5C0A477730B22A41406A6AB344FCD9C659B9CB0A
                                                                                                                                                                            Malicious:false
                                                                                                                                                                            Preview:SQLite format 3......@ .......'........... ......................................................j.....................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

                                                                                                                                                                            C:\Users\user\AppData\Local\Temp\heidi39GtSuVzyOuE\eBt1v4cLiOqEWeb Data

                                                                                                                                                                            Download File
                                                                                                                                                                            Process:C:\Users\user\Desktop\file.exe
                                                                                                                                                                            File Type:SQLite 3.x database, last written using SQLite version 3042000, page size 2048, file counter 3, database pages 52, cookie 0x21, schema 4, UTF-8, version-valid-for 3
                                                                                                                                                                            Category:dropped
                                                                                                                                                                            Size (bytes):106496
                                                                                                                                                                            Entropy (8bit):1.1358696453229276
                                                                                                                                                                            Encrypted:false
                                                                                                                                                                            SSDEEP:192:ZWTblyVZTnGtgTgabTanQeZVuSVumZa6c5/w4:MnlyfnGtxnfVuSVumEH544
                                                                                                                                                                            MD5:28591AA4E12D1C4FC761BE7C0A468622
                                                                                                                                                                            SHA1:BC4968A84C19377D05A8BB3F208FBFAC49F4820B
                                                                                                                                                                            SHA-256:51624D124EFA3EE31EF43CB3D9ECFE98254D629957063747F4CA7061543B14B9
                                                                                                                                                                            SHA-512:5DDC8C36538AB1415637B2FF6C35AED3A94639A0C2B0A36E256A1C4477AA5A356813D1368913BA3B6E8B770625CDCB94EE7BFC17FD7D324982CFE3BDEC2D32EB
                                                                                                                                                                            Malicious:false
                                                                                                                                                                            Preview:SQLite format 3......@ .......4...........!......................................................j............1........................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

                                                                                                                                                                            C:\Users\user\AppData\Local\Temp\heidi39GtSuVzyOuE\jTDil21rwmscLogin Data For Account

                                                                                                                                                                            Download File
                                                                                                                                                                            Process:C:\Users\user\Desktop\file.exe
                                                                                                                                                                            File Type:SQLite 3.x database, last written using SQLite version 3042000, page size 2048, file counter 1, database pages 20, cookie 0xb, schema 4, UTF-8, version-valid-for 1
                                                                                                                                                                            Category:dropped
                                                                                                                                                                            Size (bytes):40960
                                                                                                                                                                            Entropy (8bit):0.8553638852307782
                                                                                                                                                                            Encrypted:false
                                                                                                                                                                            SSDEEP:48:2x7BA+IIF7CVEq8Ma0D0HOlf/6ykwp1EUwMHZq10bvJKLkw8s8LKvUf9KVyJ7h/f:QNDCn8MouB6wz8iZqmvJKLPeymwil
                                                                                                                                                                            MD5:28222628A3465C5F0D4B28F70F97F482
                                                                                                                                                                            SHA1:1BAA3DEB7DFD7C9B4CA9FDB540F236C24917DD14
                                                                                                                                                                            SHA-256:93A6AF6939B17143531FA4474DFC564FA55359308B910E6F0DCA774D322C9BE4
                                                                                                                                                                            SHA-512:C8FB93F658C1A654186FA6AA2039E40791E6B0A1260B223272BB01279A7B574E238B28217DADF3E1850C7083ADFA2FE5DA0CCE6F9BCABD59E1FFD1061B3A88F7
                                                                                                                                                                            Malicious:false
                                                                                                                                                                            Preview:SQLite format 3......@ ..........................................................................j.....................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

                                                                                                                                                                            C:\Users\user\AppData\Local\Temp\heidi39GtSuVzyOuE\nXFtGKoHb21jHistory

                                                                                                                                                                            Download File
                                                                                                                                                                            Process:C:\Users\user\Desktop\file.exe
                                                                                                                                                                            File Type:SQLite 3.x database, last written using SQLite version 3035005, file counter 2, database pages 31, cookie 0x18, schema 4, UTF-8, version-valid-for 2
                                                                                                                                                                            Category:dropped
                                                                                                                                                                            Size (bytes):126976
                                                                                                                                                                            Entropy (8bit):0.47147045728725767
                                                                                                                                                                            Encrypted:false
                                                                                                                                                                            SSDEEP:96:/WU+bDoYysX0uhnyTpvVjN9DLjGQLBE3u:/l+bDo3irhnyTpvVj3XBBE3u
                                                                                                                                                                            MD5:A2D1F4CF66465F9F0CAC61C4A95C7EDE
                                                                                                                                                                            SHA1:BA6A845E247B221AAEC96C4213E1FD3744B10A27
                                                                                                                                                                            SHA-256:B510DF8D67E38DCAE51FE97A3924228AD37CF823999FD3BC6BA44CA6535DE8FE
                                                                                                                                                                            SHA-512:C571E5125C005EAC0F0B72B5F132AE03783AF8D621BFA32B366B0E8A825EF8F65E33CD330E42BDC722BFA012E3447A7218F05FDD4A5AD855C1CA22DFA2F79838
                                                                                                                                                                            Malicious:false
                                                                                                                                                                            Preview:SQLite format 3......@ ..........................................................................O}....................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

                                                                                                                                                                            C:\Users\user\AppData\Local\Temp\heidi39GtSuVzyOuE\uHXLq2btT439Web Data

                                                                                                                                                                            Download File
                                                                                                                                                                            Process:C:\Users\user\Desktop\file.exe
                                                                                                                                                                            File Type:SQLite 3.x database, last written using SQLite version 3035005, page size 2048, file counter 2, database pages 56, cookie 0x24, schema 4, UTF-8, version-valid-for 2
                                                                                                                                                                            Category:dropped
                                                                                                                                                                            Size (bytes):114688
                                                                                                                                                                            Entropy (8bit):0.9746603542602881
                                                                                                                                                                            Encrypted:false
                                                                                                                                                                            SSDEEP:192:CwbUJ6IH9xhomnGCTjHbRjCLqtzKWJaW:CfJ6a9xpnQLqtzKWJn
                                                                                                                                                                            MD5:780853CDDEAEE8DE70F28A4B255A600B
                                                                                                                                                                            SHA1:AD7A5DA33F7AD12946153C497E990720B09005ED
                                                                                                                                                                            SHA-256:1055FF62DE3DEA7645C732583242ADF4164BDCFB9DD37D9B35BBB9510D59B0A3
                                                                                                                                                                            SHA-512:E422863112084BB8D11C682482E780CD63C2F20C8E3A93ED3B9EFD1B04D53EB5D3C8081851CA89B74D66F3D9AB48EB5F6C74550484F46E7C6E460A8250C9B1D8
                                                                                                                                                                            Malicious:false
                                                                                                                                                                            Preview:SQLite format 3......@ .......8...........$......................................................O}...........4........................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

                                                                                                                                                                            C:\Users\user\AppData\Local\Temp\heidi39GtSuVzyOuE\uYMQq4w30H95Web Data

                                                                                                                                                                            Download File
                                                                                                                                                                            Process:C:\Users\user\Desktop\file.exe
                                                                                                                                                                            File Type:SQLite 3.x database, last written using SQLite version 3035005, page size 2048, file counter 2, database pages 56, cookie 0x24, schema 4, UTF-8, version-valid-for 2
                                                                                                                                                                            Category:dropped
                                                                                                                                                                            Size (bytes):114688
                                                                                                                                                                            Entropy (8bit):0.9746603542602881
                                                                                                                                                                            Encrypted:false
                                                                                                                                                                            SSDEEP:192:CwbUJ6IH9xhomnGCTjHbRjCLqtzKWJaW:CfJ6a9xpnQLqtzKWJn
                                                                                                                                                                            MD5:780853CDDEAEE8DE70F28A4B255A600B
                                                                                                                                                                            SHA1:AD7A5DA33F7AD12946153C497E990720B09005ED
                                                                                                                                                                            SHA-256:1055FF62DE3DEA7645C732583242ADF4164BDCFB9DD37D9B35BBB9510D59B0A3
                                                                                                                                                                            SHA-512:E422863112084BB8D11C682482E780CD63C2F20C8E3A93ED3B9EFD1B04D53EB5D3C8081851CA89B74D66F3D9AB48EB5F6C74550484F46E7C6E460A8250C9B1D8
                                                                                                                                                                            Malicious:false
                                                                                                                                                                            Preview:SQLite format 3......@ .......8...........$......................................................O}...........4........................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

                                                                                                                                                                            C:\Users\user\AppData\Local\Temp\heidi39GtSuVzyOuE\weyqQCNm9HN2Web Data

                                                                                                                                                                            Download File
                                                                                                                                                                            Process:C:\Users\user\Desktop\file.exe
                                                                                                                                                                            File Type:SQLite 3.x database, last written using SQLite version 3042000, page size 2048, file counter 3, database pages 52, cookie 0x21, schema 4, UTF-8, version-valid-for 3
                                                                                                                                                                            Category:dropped
                                                                                                                                                                            Size (bytes):106496
                                                                                                                                                                            Entropy (8bit):1.1358696453229276
                                                                                                                                                                            Encrypted:false
                                                                                                                                                                            SSDEEP:192:ZWTblyVZTnGtgTgabTanQeZVuSVumZa6c5/w4:MnlyfnGtxnfVuSVumEH544
                                                                                                                                                                            MD5:28591AA4E12D1C4FC761BE7C0A468622
                                                                                                                                                                            SHA1:BC4968A84C19377D05A8BB3F208FBFAC49F4820B
                                                                                                                                                                            SHA-256:51624D124EFA3EE31EF43CB3D9ECFE98254D629957063747F4CA7061543B14B9
                                                                                                                                                                            SHA-512:5DDC8C36538AB1415637B2FF6C35AED3A94639A0C2B0A36E256A1C4477AA5A356813D1368913BA3B6E8B770625CDCB94EE7BFC17FD7D324982CFE3BDEC2D32EB
                                                                                                                                                                            Malicious:false
                                                                                                                                                                            Preview:SQLite format 3......@ .......4...........!......................................................j............1........................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

                                                                                                                                                                            C:\Users\user\AppData\Local\Temp\heidiIl1ZoQx5ZnY2\02zdBXl47cvzcookies.sqlite

                                                                                                                                                                            Download File
                                                                                                                                                                            Process:C:\Users\user\AppData\Local\RageMP131\RageMP131.exe
                                                                                                                                                                            File Type:SQLite 3.x database, user version 12, last written using SQLite version 3042000, page size 32768, writer version 2, read version 2, file counter 3, database pages 3, cookie 0x1, schema 4, UTF-8, version-valid-for 3
                                                                                                                                                                            Category:dropped
                                                                                                                                                                            Size (bytes):98304
                                                                                                                                                                            Entropy (8bit):0.08235737944063153
                                                                                                                                                                            Encrypted:false
                                                                                                                                                                            SSDEEP:12:DQAsfWk73Fmdmc/OPVJXfPNn43etRRfYR5O8atLqxeYaNcDakMG/lO:DQAsff32mNVpP965Ra8KN0MG/lO
                                                                                                                                                                            MD5:369B6DD66F1CAD49D0952C40FEB9AD41
                                                                                                                                                                            SHA1:D05B2DE29433FB113EC4C558FF33087ED7481DD4
                                                                                                                                                                            SHA-256:14150D582B5321D91BDE0841066312AB3E6673CA51C982922BC293B82527220D
                                                                                                                                                                            SHA-512:771054845B27274054B6C73776204C235C46E0C742ECF3E2D9B650772BA5D259C8867B2FA92C3A9413D3E1AD35589D8431AC683DF84A53E13CDE361789045928
                                                                                                                                                                            Malicious:false
                                                                                                                                                                            Preview:SQLite format 3......@ ..........................................................................j......}..}...........................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

                                                                                                                                                                            C:\Users\user\AppData\Local\Temp\heidiIl1ZoQx5ZnY2\2lqugrjeVJunWeb Data

                                                                                                                                                                            Download File
                                                                                                                                                                            Process:C:\Users\user\AppData\Local\RageMP131\RageMP131.exe
                                                                                                                                                                            File Type:SQLite 3.x database, last written using SQLite version 3035005, page size 2048, file counter 2, database pages 56, cookie 0x24, schema 4, UTF-8, version-valid-for 2
                                                                                                                                                                            Category:dropped
                                                                                                                                                                            Size (bytes):114688
                                                                                                                                                                            Entropy (8bit):0.9746603542602881
                                                                                                                                                                            Encrypted:false
                                                                                                                                                                            SSDEEP:192:CwbUJ6IH9xhomnGCTjHbRjCLqtzKWJaW:CfJ6a9xpnQLqtzKWJn
                                                                                                                                                                            MD5:780853CDDEAEE8DE70F28A4B255A600B
                                                                                                                                                                            SHA1:AD7A5DA33F7AD12946153C497E990720B09005ED
                                                                                                                                                                            SHA-256:1055FF62DE3DEA7645C732583242ADF4164BDCFB9DD37D9B35BBB9510D59B0A3
                                                                                                                                                                            SHA-512:E422863112084BB8D11C682482E780CD63C2F20C8E3A93ED3B9EFD1B04D53EB5D3C8081851CA89B74D66F3D9AB48EB5F6C74550484F46E7C6E460A8250C9B1D8
                                                                                                                                                                            Malicious:false
                                                                                                                                                                            Preview:SQLite format 3......@ .......8...........$......................................................O}...........4........................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

                                                                                                                                                                            C:\Users\user\AppData\Local\Temp\heidiIl1ZoQx5ZnY2\3b6N2Xdh3CYwplaces.sqlite

                                                                                                                                                                            Download File
                                                                                                                                                                            Process:C:\Users\user\AppData\Local\RageMP131\RageMP131.exe
                                                                                                                                                                            File Type:SQLite 3.x database, user version 75, last written using SQLite version 3042000, page size 32768, writer version 2, read version 2, file counter 2, database pages 46, cookie 0x26, schema 4, UTF-8, version-valid-for 2
                                                                                                                                                                            Category:dropped
                                                                                                                                                                            Size (bytes):5242880
                                                                                                                                                                            Entropy (8bit):0.037963276276857943
                                                                                                                                                                            Encrypted:false
                                                                                                                                                                            SSDEEP:192:58rJQaXoMXp0VW9FxWZWdgokBQNba9D3DO/JxW/QHI:58r54w0VW3xWZWdOBQFal3dQ
                                                                                                                                                                            MD5:C0FDF21AE11A6D1FA1201D502614B622
                                                                                                                                                                            SHA1:11724034A1CC915B061316A96E79E9DA6A00ADE8
                                                                                                                                                                            SHA-256:FD4EB46C81D27A9B3669C0D249DF5CE2B49E5F37B42F917CA38AB8831121ADAC
                                                                                                                                                                            SHA-512:A6147C196B033725018C7F28C1E75E20C2113A0C6D8172F5EABCB8FF334EA6CE10B758FFD1D22D50B4DB5A0A21BCC15294AC44E94D973F7A3EB9F8558F31769B
                                                                                                                                                                            Malicious:false
                                                                                                                                                                            Preview:SQLite format 3......@ ...................&...................K..................................j.....-a>.~...|0{dz.z.z"y.y3x.xKw.v.u.uGt.t;sAs.q.p.q.p{o.ohn.nem.n,m9l.k.lPj.j.h.h.g.d.c.c6b.b.a.a>..................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

                                                                                                                                                                            C:\Users\user\AppData\Local\Temp\heidiIl1ZoQx5ZnY2\6_PbUyeA3kVjWeb Data

                                                                                                                                                                            Download File
                                                                                                                                                                            Process:C:\Users\user\AppData\Local\RageMP131\RageMP131.exe
                                                                                                                                                                            File Type:SQLite 3.x database, last written using SQLite version 3042000, page size 2048, file counter 3, database pages 52, cookie 0x21, schema 4, UTF-8, version-valid-for 3
                                                                                                                                                                            Category:dropped
                                                                                                                                                                            Size (bytes):106496
                                                                                                                                                                            Entropy (8bit):1.1358696453229276
                                                                                                                                                                            Encrypted:false
                                                                                                                                                                            SSDEEP:192:ZWTblyVZTnGtgTgabTanQeZVuSVumZa6c5/w4:MnlyfnGtxnfVuSVumEH544
                                                                                                                                                                            MD5:28591AA4E12D1C4FC761BE7C0A468622
                                                                                                                                                                            SHA1:BC4968A84C19377D05A8BB3F208FBFAC49F4820B
                                                                                                                                                                            SHA-256:51624D124EFA3EE31EF43CB3D9ECFE98254D629957063747F4CA7061543B14B9
                                                                                                                                                                            SHA-512:5DDC8C36538AB1415637B2FF6C35AED3A94639A0C2B0A36E256A1C4477AA5A356813D1368913BA3B6E8B770625CDCB94EE7BFC17FD7D324982CFE3BDEC2D32EB
                                                                                                                                                                            Malicious:false
                                                                                                                                                                            Preview:SQLite format 3......@ .......4...........!......................................................j............1........................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

                                                                                                                                                                            C:\Users\user\AppData\Local\Temp\heidiIl1ZoQx5ZnY2\AqkFZJnS_4eJHistory

                                                                                                                                                                            Download File
                                                                                                                                                                            Process:C:\Users\user\AppData\Local\RageMP131\RageMP131.exe
                                                                                                                                                                            File Type:SQLite 3.x database, last written using SQLite version 3035005, file counter 2, database pages 31, cookie 0x18, schema 4, UTF-8, version-valid-for 2
                                                                                                                                                                            Category:dropped
                                                                                                                                                                            Size (bytes):126976
                                                                                                                                                                            Entropy (8bit):0.47147045728725767
                                                                                                                                                                            Encrypted:false
                                                                                                                                                                            SSDEEP:96:/WU+bDoYysX0uhnyTpvVjN9DLjGQLBE3u:/l+bDo3irhnyTpvVj3XBBE3u
                                                                                                                                                                            MD5:A2D1F4CF66465F9F0CAC61C4A95C7EDE
                                                                                                                                                                            SHA1:BA6A845E247B221AAEC96C4213E1FD3744B10A27
                                                                                                                                                                            SHA-256:B510DF8D67E38DCAE51FE97A3924228AD37CF823999FD3BC6BA44CA6535DE8FE
                                                                                                                                                                            SHA-512:C571E5125C005EAC0F0B72B5F132AE03783AF8D621BFA32B366B0E8A825EF8F65E33CD330E42BDC722BFA012E3447A7218F05FDD4A5AD855C1CA22DFA2F79838
                                                                                                                                                                            Malicious:false
                                                                                                                                                                            Preview:SQLite format 3......@ ..........................................................................O}....................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

                                                                                                                                                                            C:\Users\user\AppData\Local\Temp\heidiIl1ZoQx5ZnY2\D87fZN3R3jFeplaces.sqlite

                                                                                                                                                                            Download File
                                                                                                                                                                            Process:C:\Users\user\AppData\Local\RageMP131\RageMP131.exe
                                                                                                                                                                            File Type:SQLite 3.x database, user version 75, last written using SQLite version 3042000, page size 32768, writer version 2, read version 2, file counter 2, database pages 46, cookie 0x26, schema 4, UTF-8, version-valid-for 2
                                                                                                                                                                            Category:dropped
                                                                                                                                                                            Size (bytes):5242880
                                                                                                                                                                            Entropy (8bit):0.037963276276857943
                                                                                                                                                                            Encrypted:false
                                                                                                                                                                            SSDEEP:192:58rJQaXoMXp0VW9FxWZWdgokBQNba9D3DO/JxW/QHI:58r54w0VW3xWZWdOBQFal3dQ
                                                                                                                                                                            MD5:C0FDF21AE11A6D1FA1201D502614B622
                                                                                                                                                                            SHA1:11724034A1CC915B061316A96E79E9DA6A00ADE8
                                                                                                                                                                            SHA-256:FD4EB46C81D27A9B3669C0D249DF5CE2B49E5F37B42F917CA38AB8831121ADAC
                                                                                                                                                                            SHA-512:A6147C196B033725018C7F28C1E75E20C2113A0C6D8172F5EABCB8FF334EA6CE10B758FFD1D22D50B4DB5A0A21BCC15294AC44E94D973F7A3EB9F8558F31769B
                                                                                                                                                                            Malicious:false
                                                                                                                                                                            Preview:SQLite format 3......@ ...................&...................K..................................j.....-a>.~...|0{dz.z.z"y.y3x.xKw.v.u.uGt.t;sAs.q.p.q.p{o.ohn.nem.n,m9l.k.lPj.j.h.h.g.d.c.c6b.b.a.a>..................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

                                                                                                                                                                            C:\Users\user\AppData\Local\Temp\heidiIl1ZoQx5ZnY2\LZlzsFoefEVpHistory

                                                                                                                                                                            Download File
                                                                                                                                                                            Process:C:\Users\user\AppData\Local\RageMP131\RageMP131.exe
                                                                                                                                                                            File Type:SQLite 3.x database, last written using SQLite version 3042000, file counter 4, database pages 39, cookie 0x20, schema 4, UTF-8, version-valid-for 4
                                                                                                                                                                            Category:dropped
                                                                                                                                                                            Size (bytes):159744
                                                                                                                                                                            Entropy (8bit):0.7873599747470391
                                                                                                                                                                            Encrypted:false
                                                                                                                                                                            SSDEEP:96:pn6pld6px0c2EDKFm5wTmN8ewmdaDKFmJ4ee7vuejzH+bF+UIYysX0IxQzh/tsVL:8Ys3QMmRtH+bF+UI3iN0RSV0k3qLyj9v
                                                                                                                                                                            MD5:6A6BAD38068B0F6F2CADC6464C4FE8F0
                                                                                                                                                                            SHA1:4E3B235898D8E900548613DDB6EA59CDA5EB4E68
                                                                                                                                                                            SHA-256:0998615B274171FC74AAB4E70FD355AF513186B74A4EB07AAA883782E6497982
                                                                                                                                                                            SHA-512:BFE41E5AB5851C92308A097FE9DA4F215875AC2C7D7A483B066585071EE6086B5A7BE6D80CEC18027A3B88AA5C0A477730B22A41406A6AB344FCD9C659B9CB0A
                                                                                                                                                                            Malicious:false
                                                                                                                                                                            Preview:SQLite format 3......@ .......'........... ......................................................j.....................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

                                                                                                                                                                            C:\Users\user\AppData\Local\Temp\heidiIl1ZoQx5ZnY2\MKjdaszvj8XCLogin Data For Account

                                                                                                                                                                            Download File
                                                                                                                                                                            Process:C:\Users\user\AppData\Local\RageMP131\RageMP131.exe
                                                                                                                                                                            File Type:SQLite 3.x database, last written using SQLite version 3042000, page size 2048, file counter 1, database pages 20, cookie 0xb, schema 4, UTF-8, version-valid-for 1
                                                                                                                                                                            Category:dropped
                                                                                                                                                                            Size (bytes):40960
                                                                                                                                                                            Entropy (8bit):0.8553638852307782
                                                                                                                                                                            Encrypted:false
                                                                                                                                                                            SSDEEP:48:2x7BA+IIF7CVEq8Ma0D0HOlf/6ykwp1EUwMHZq10bvJKLkw8s8LKvUf9KVyJ7h/f:QNDCn8MouB6wz8iZqmvJKLPeymwil
                                                                                                                                                                            MD5:28222628A3465C5F0D4B28F70F97F482
                                                                                                                                                                            SHA1:1BAA3DEB7DFD7C9B4CA9FDB540F236C24917DD14
                                                                                                                                                                            SHA-256:93A6AF6939B17143531FA4474DFC564FA55359308B910E6F0DCA774D322C9BE4
                                                                                                                                                                            SHA-512:C8FB93F658C1A654186FA6AA2039E40791E6B0A1260B223272BB01279A7B574E238B28217DADF3E1850C7083ADFA2FE5DA0CCE6F9BCABD59E1FFD1061B3A88F7
                                                                                                                                                                            Malicious:false
                                                                                                                                                                            Preview:SQLite format 3......@ ..........................................................................j.....................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

                                                                                                                                                                            C:\Users\user\AppData\Local\Temp\heidiIl1ZoQx5ZnY2\RY6RdEPM8E4dWeb Data

                                                                                                                                                                            Download File
                                                                                                                                                                            Process:C:\Users\user\AppData\Local\RageMP131\RageMP131.exe
                                                                                                                                                                            File Type:SQLite 3.x database, last written using SQLite version 3035005, page size 2048, file counter 2, database pages 56, cookie 0x24, schema 4, UTF-8, version-valid-for 2
                                                                                                                                                                            Category:dropped
                                                                                                                                                                            Size (bytes):114688
                                                                                                                                                                            Entropy (8bit):0.9746603542602881
                                                                                                                                                                            Encrypted:false
                                                                                                                                                                            SSDEEP:192:CwbUJ6IH9xhomnGCTjHbRjCLqtzKWJaW:CfJ6a9xpnQLqtzKWJn
                                                                                                                                                                            MD5:780853CDDEAEE8DE70F28A4B255A600B
                                                                                                                                                                            SHA1:AD7A5DA33F7AD12946153C497E990720B09005ED
                                                                                                                                                                            SHA-256:1055FF62DE3DEA7645C732583242ADF4164BDCFB9DD37D9B35BBB9510D59B0A3
                                                                                                                                                                            SHA-512:E422863112084BB8D11C682482E780CD63C2F20C8E3A93ED3B9EFD1B04D53EB5D3C8081851CA89B74D66F3D9AB48EB5F6C74550484F46E7C6E460A8250C9B1D8
                                                                                                                                                                            Malicious:false
                                                                                                                                                                            Preview:SQLite format 3......@ .......8...........$......................................................O}...........4........................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

                                                                                                                                                                            C:\Users\user\AppData\Local\Temp\heidiIl1ZoQx5ZnY2\TifxbkBvgKkFWeb Data

                                                                                                                                                                            Download File
                                                                                                                                                                            Process:C:\Users\user\AppData\Local\RageMP131\RageMP131.exe
                                                                                                                                                                            File Type:SQLite 3.x database, last written using SQLite version 3035005, page size 2048, file counter 2, database pages 56, cookie 0x24, schema 4, UTF-8, version-valid-for 2
                                                                                                                                                                            Category:dropped
                                                                                                                                                                            Size (bytes):114688
                                                                                                                                                                            Entropy (8bit):0.9746603542602881
                                                                                                                                                                            Encrypted:false
                                                                                                                                                                            SSDEEP:192:CwbUJ6IH9xhomnGCTjHbRjCLqtzKWJaW:CfJ6a9xpnQLqtzKWJn
                                                                                                                                                                            MD5:780853CDDEAEE8DE70F28A4B255A600B
                                                                                                                                                                            SHA1:AD7A5DA33F7AD12946153C497E990720B09005ED
                                                                                                                                                                            SHA-256:1055FF62DE3DEA7645C732583242ADF4164BDCFB9DD37D9B35BBB9510D59B0A3
                                                                                                                                                                            SHA-512:E422863112084BB8D11C682482E780CD63C2F20C8E3A93ED3B9EFD1B04D53EB5D3C8081851CA89B74D66F3D9AB48EB5F6C74550484F46E7C6E460A8250C9B1D8
                                                                                                                                                                            Malicious:false
                                                                                                                                                                            Preview:SQLite format 3......@ .......8...........$......................................................O}...........4........................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

                                                                                                                                                                            C:\Users\user\AppData\Local\Temp\heidiIl1ZoQx5ZnY2\ZTjqnM2lH92vCookies

                                                                                                                                                                            Download File
                                                                                                                                                                            Process:C:\Users\user\AppData\Local\RageMP131\RageMP131.exe
                                                                                                                                                                            File Type:SQLite 3.x database, last written using SQLite version 3042000, file counter 11, database pages 7, cookie 0x3, schema 4, UTF-8, version-valid-for 11
                                                                                                                                                                            Category:dropped
                                                                                                                                                                            Size (bytes):28672
                                                                                                                                                                            Entropy (8bit):2.5793180405395284
                                                                                                                                                                            Encrypted:false
                                                                                                                                                                            SSDEEP:96:/xealJiylsMjLslk5nYPphZEhcR2hO2mOeVgN8tmKqWkh3qzRk4PeOhZ3hcR1hOI:/xGZR8wbtxq5uWRHKloIN7YItnb6Ggz
                                                                                                                                                                            MD5:41EA9A4112F057AE6BA17E2838AEAC26
                                                                                                                                                                            SHA1:F2B389103BFD1A1A050C4857A995B09FEAFE8903
                                                                                                                                                                            SHA-256:CE84656EAEFC842355D668E7141F84383D3A0C819AE01B26A04F9021EF0AC9DB
                                                                                                                                                                            SHA-512:29E848AD16D458F81D8C4F4E288094B4CFC103AD99B4511ED1A4846542F9128736A87AAC5F4BFFBEFE7DF99A05EB230911EDCE99FEE3877DEC130C2781962103
                                                                                                                                                                            Malicious:false
                                                                                                                                                                            Preview:SQLite format 3......@ ..........................................................................j..........g...$......................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

                                                                                                                                                                            C:\Users\user\AppData\Local\Temp\heidiIl1ZoQx5ZnY2\_yiJuL8xeLPXLogin Data

                                                                                                                                                                            Download File
                                                                                                                                                                            Process:C:\Users\user\AppData\Local\RageMP131\RageMP131.exe
                                                                                                                                                                            File Type:SQLite 3.x database, last written using SQLite version 3035005, page size 2048, file counter 1, database pages 24, cookie 0xe, schema 4, UTF-8, version-valid-for 1
                                                                                                                                                                            Category:dropped
                                                                                                                                                                            Size (bytes):49152
                                                                                                                                                                            Entropy (8bit):0.8180424350137764
                                                                                                                                                                            Encrypted:false
                                                                                                                                                                            SSDEEP:96:uRMKLyeymwxCn8MZyFlSynlbiXyKwt8hG:uRkxGOXnlbibhG
                                                                                                                                                                            MD5:349E6EB110E34A08924D92F6B334801D
                                                                                                                                                                            SHA1:BDFB289DAFF51890CC71697B6322AA4B35EC9169
                                                                                                                                                                            SHA-256:C9FD7BE4579E4AA942E8C2B44AB10115FA6C2FE6AFD0C584865413D9D53F3B2A
                                                                                                                                                                            SHA-512:2A635B815A5E117EA181EE79305EE1BAF591459427ACC5210D8C6C7E447BE3513EAD871C605EB3D32E4AB4111B2A335F26520D0EF8C1245A4AF44E1FAEC44574
                                                                                                                                                                            Malicious:false
                                                                                                                                                                            Preview:SQLite format 3......@ ..........................................................................O}....................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

                                                                                                                                                                            C:\Users\user\AppData\Local\Temp\heidiIl1ZoQx5ZnY2\d4QTaPGdbj7gHistory

                                                                                                                                                                            Download File
                                                                                                                                                                            Process:C:\Users\user\AppData\Local\RageMP131\RageMP131.exe
                                                                                                                                                                            File Type:SQLite 3.x database, last written using SQLite version 3042000, file counter 4, database pages 39, cookie 0x20, schema 4, UTF-8, version-valid-for 4
                                                                                                                                                                            Category:dropped
                                                                                                                                                                            Size (bytes):159744
                                                                                                                                                                            Entropy (8bit):0.7873599747470391
                                                                                                                                                                            Encrypted:false
                                                                                                                                                                            SSDEEP:96:pn6pld6px0c2EDKFm5wTmN8ewmdaDKFmJ4ee7vuejzH+bF+UIYysX0IxQzh/tsVL:8Ys3QMmRtH+bF+UI3iN0RSV0k3qLyj9v
                                                                                                                                                                            MD5:6A6BAD38068B0F6F2CADC6464C4FE8F0
                                                                                                                                                                            SHA1:4E3B235898D8E900548613DDB6EA59CDA5EB4E68
                                                                                                                                                                            SHA-256:0998615B274171FC74AAB4E70FD355AF513186B74A4EB07AAA883782E6497982
                                                                                                                                                                            SHA-512:BFE41E5AB5851C92308A097FE9DA4F215875AC2C7D7A483B066585071EE6086B5A7BE6D80CEC18027A3B88AA5C0A477730B22A41406A6AB344FCD9C659B9CB0A
                                                                                                                                                                            Malicious:false
                                                                                                                                                                            Preview:SQLite format 3......@ .......'........... ......................................................j.....................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

                                                                                                                                                                            C:\Users\user\AppData\Local\Temp\heidiIl1ZoQx5ZnY2\fotzzxFskzb6Web Data

                                                                                                                                                                            Download File
                                                                                                                                                                            Process:C:\Users\user\AppData\Local\RageMP131\RageMP131.exe
                                                                                                                                                                            File Type:SQLite 3.x database, last written using SQLite version 3042000, page size 2048, file counter 3, database pages 52, cookie 0x21, schema 4, UTF-8, version-valid-for 3
                                                                                                                                                                            Category:dropped
                                                                                                                                                                            Size (bytes):106496
                                                                                                                                                                            Entropy (8bit):1.1358696453229276
                                                                                                                                                                            Encrypted:false
                                                                                                                                                                            SSDEEP:192:ZWTblyVZTnGtgTgabTanQeZVuSVumZa6c5/w4:MnlyfnGtxnfVuSVumEH544
                                                                                                                                                                            MD5:28591AA4E12D1C4FC761BE7C0A468622
                                                                                                                                                                            SHA1:BC4968A84C19377D05A8BB3F208FBFAC49F4820B
                                                                                                                                                                            SHA-256:51624D124EFA3EE31EF43CB3D9ECFE98254D629957063747F4CA7061543B14B9
                                                                                                                                                                            SHA-512:5DDC8C36538AB1415637B2FF6C35AED3A94639A0C2B0A36E256A1C4477AA5A356813D1368913BA3B6E8B770625CDCB94EE7BFC17FD7D324982CFE3BDEC2D32EB
                                                                                                                                                                            Malicious:false
                                                                                                                                                                            Preview:SQLite format 3......@ .......4...........!......................................................j............1........................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

                                                                                                                                                                            C:\Users\user\AppData\Local\Temp\heidiIl1ZoQx5ZnY2\rWOqT1UkdTpuHistory

                                                                                                                                                                            Download File
                                                                                                                                                                            Process:C:\Users\user\AppData\Local\RageMP131\RageMP131.exe
                                                                                                                                                                            File Type:SQLite 3.x database, last written using SQLite version 3035005, file counter 2, database pages 31, cookie 0x18, schema 4, UTF-8, version-valid-for 2
                                                                                                                                                                            Category:dropped
                                                                                                                                                                            Size (bytes):126976
                                                                                                                                                                            Entropy (8bit):0.47147045728725767
                                                                                                                                                                            Encrypted:false
                                                                                                                                                                            SSDEEP:96:/WU+bDoYysX0uhnyTpvVjN9DLjGQLBE3u:/l+bDo3irhnyTpvVj3XBBE3u
                                                                                                                                                                            MD5:A2D1F4CF66465F9F0CAC61C4A95C7EDE
                                                                                                                                                                            SHA1:BA6A845E247B221AAEC96C4213E1FD3744B10A27
                                                                                                                                                                            SHA-256:B510DF8D67E38DCAE51FE97A3924228AD37CF823999FD3BC6BA44CA6535DE8FE
                                                                                                                                                                            SHA-512:C571E5125C005EAC0F0B72B5F132AE03783AF8D621BFA32B366B0E8A825EF8F65E33CD330E42BDC722BFA012E3447A7218F05FDD4A5AD855C1CA22DFA2F79838
                                                                                                                                                                            Malicious:false
                                                                                                                                                                            Preview:SQLite format 3......@ ..........................................................................O}....................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

                                                                                                                                                                            C:\Users\user\AppData\Local\Temp\heidiIl1ZoQx5ZnY2\rzThZlFR926oLogin Data

                                                                                                                                                                            Download File
                                                                                                                                                                            Process:C:\Users\user\AppData\Local\RageMP131\RageMP131.exe
                                                                                                                                                                            File Type:SQLite 3.x database, last written using SQLite version 3042000, page size 2048, file counter 1, database pages 20, cookie 0xb, schema 4, UTF-8, version-valid-for 1
                                                                                                                                                                            Category:dropped
                                                                                                                                                                            Size (bytes):40960
                                                                                                                                                                            Entropy (8bit):0.8553638852307782
                                                                                                                                                                            Encrypted:false
                                                                                                                                                                            SSDEEP:48:2x7BA+IIF7CVEq8Ma0D0HOlf/6ykwp1EUwMHZq10bvJKLkw8s8LKvUf9KVyJ7h/f:QNDCn8MouB6wz8iZqmvJKLPeymwil
                                                                                                                                                                            MD5:28222628A3465C5F0D4B28F70F97F482
                                                                                                                                                                            SHA1:1BAA3DEB7DFD7C9B4CA9FDB540F236C24917DD14
                                                                                                                                                                            SHA-256:93A6AF6939B17143531FA4474DFC564FA55359308B910E6F0DCA774D322C9BE4
                                                                                                                                                                            SHA-512:C8FB93F658C1A654186FA6AA2039E40791E6B0A1260B223272BB01279A7B574E238B28217DADF3E1850C7083ADFA2FE5DA0CCE6F9BCABD59E1FFD1061B3A88F7
                                                                                                                                                                            Malicious:false
                                                                                                                                                                            Preview:SQLite format 3......@ ..........................................................................j.....................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

                                                                                                                                                                            C:\Users\user\AppData\Local\Temp\heidiIl1ZoQx5ZnY2\tcNWocR92MUuWeb Data

                                                                                                                                                                            Download File
                                                                                                                                                                            Process:C:\Users\user\AppData\Local\RageMP131\RageMP131.exe
                                                                                                                                                                            File Type:SQLite 3.x database, last written using SQLite version 3042000, page size 2048, file counter 3, database pages 52, cookie 0x21, schema 4, UTF-8, version-valid-for 3
                                                                                                                                                                            Category:dropped
                                                                                                                                                                            Size (bytes):106496
                                                                                                                                                                            Entropy (8bit):1.1358696453229276
                                                                                                                                                                            Encrypted:false
                                                                                                                                                                            SSDEEP:192:ZWTblyVZTnGtgTgabTanQeZVuSVumZa6c5/w4:MnlyfnGtxnfVuSVumEH544
                                                                                                                                                                            MD5:28591AA4E12D1C4FC761BE7C0A468622
                                                                                                                                                                            SHA1:BC4968A84C19377D05A8BB3F208FBFAC49F4820B
                                                                                                                                                                            SHA-256:51624D124EFA3EE31EF43CB3D9ECFE98254D629957063747F4CA7061543B14B9
                                                                                                                                                                            SHA-512:5DDC8C36538AB1415637B2FF6C35AED3A94639A0C2B0A36E256A1C4477AA5A356813D1368913BA3B6E8B770625CDCB94EE7BFC17FD7D324982CFE3BDEC2D32EB
                                                                                                                                                                            Malicious:false
                                                                                                                                                                            Preview:SQLite format 3......@ .......4...........!......................................................j............1........................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

                                                                                                                                                                            C:\Users\user\AppData\Local\Temp\heidisyO6NvG6vZji\02zdBXl47cvzcookies.sqlite

                                                                                                                                                                            Download File
                                                                                                                                                                            Process:C:\Users\user\AppData\Local\RageMP131\RageMP131.exe
                                                                                                                                                                            File Type:SQLite 3.x database, user version 12, last written using SQLite version 3042000, page size 32768, writer version 2, read version 2, file counter 3, database pages 3, cookie 0x1, schema 4, UTF-8, version-valid-for 3
                                                                                                                                                                            Category:dropped
                                                                                                                                                                            Size (bytes):98304
                                                                                                                                                                            Entropy (8bit):0.08235737944063153
                                                                                                                                                                            Encrypted:false
                                                                                                                                                                            SSDEEP:12:DQAsfWk73Fmdmc/OPVJXfPNn43etRRfYR5O8atLqxeYaNcDakMG/lO:DQAsff32mNVpP965Ra8KN0MG/lO
                                                                                                                                                                            MD5:369B6DD66F1CAD49D0952C40FEB9AD41
                                                                                                                                                                            SHA1:D05B2DE29433FB113EC4C558FF33087ED7481DD4
                                                                                                                                                                            SHA-256:14150D582B5321D91BDE0841066312AB3E6673CA51C982922BC293B82527220D
                                                                                                                                                                            SHA-512:771054845B27274054B6C73776204C235C46E0C742ECF3E2D9B650772BA5D259C8867B2FA92C3A9413D3E1AD35589D8431AC683DF84A53E13CDE361789045928
                                                                                                                                                                            Malicious:false
                                                                                                                                                                            Preview:SQLite format 3......@ ..........................................................................j......}..}...........................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

                                                                                                                                                                            C:\Users\user\AppData\Local\Temp\heidisyO6NvG6vZji\3b6N2Xdh3CYwplaces.sqlite

                                                                                                                                                                            Download File
                                                                                                                                                                            Process:C:\Users\user\AppData\Local\RageMP131\RageMP131.exe
                                                                                                                                                                            File Type:SQLite 3.x database, user version 75, last written using SQLite version 3042000, page size 32768, writer version 2, read version 2, file counter 2, database pages 46, cookie 0x26, schema 4, UTF-8, version-valid-for 2
                                                                                                                                                                            Category:dropped
                                                                                                                                                                            Size (bytes):5242880
                                                                                                                                                                            Entropy (8bit):0.037963276276857943
                                                                                                                                                                            Encrypted:false
                                                                                                                                                                            SSDEEP:192:58rJQaXoMXp0VW9FxWZWdgokBQNba9D3DO/JxW/QHI:58r54w0VW3xWZWdOBQFal3dQ
                                                                                                                                                                            MD5:C0FDF21AE11A6D1FA1201D502614B622
                                                                                                                                                                            SHA1:11724034A1CC915B061316A96E79E9DA6A00ADE8
                                                                                                                                                                            SHA-256:FD4EB46C81D27A9B3669C0D249DF5CE2B49E5F37B42F917CA38AB8831121ADAC
                                                                                                                                                                            SHA-512:A6147C196B033725018C7F28C1E75E20C2113A0C6D8172F5EABCB8FF334EA6CE10B758FFD1D22D50B4DB5A0A21BCC15294AC44E94D973F7A3EB9F8558F31769B
                                                                                                                                                                            Malicious:false
                                                                                                                                                                            Preview:SQLite format 3......@ ...................&...................K..................................j.....-a>.~...|0{dz.z.z"y.y3x.xKw.v.u.uGt.t;sAs.q.p.q.p{o.ohn.nem.n,m9l.k.lPj.j.h.h.g.d.c.c6b.b.a.a>..................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

                                                                                                                                                                            C:\Users\user\AppData\Local\Temp\heidisyO6NvG6vZji\8Mse1jO6nK1IWeb Data

                                                                                                                                                                            Download File
                                                                                                                                                                            Process:C:\Users\user\AppData\Local\RageMP131\RageMP131.exe
                                                                                                                                                                            File Type:SQLite 3.x database, last written using SQLite version 3042000, page size 2048, file counter 3, database pages 52, cookie 0x21, schema 4, UTF-8, version-valid-for 3
                                                                                                                                                                            Category:dropped
                                                                                                                                                                            Size (bytes):106496
                                                                                                                                                                            Entropy (8bit):1.1358696453229276
                                                                                                                                                                            Encrypted:false
                                                                                                                                                                            SSDEEP:192:ZWTblyVZTnGtgTgabTanQeZVuSVumZa6c5/w4:MnlyfnGtxnfVuSVumEH544
                                                                                                                                                                            MD5:28591AA4E12D1C4FC761BE7C0A468622
                                                                                                                                                                            SHA1:BC4968A84C19377D05A8BB3F208FBFAC49F4820B
                                                                                                                                                                            SHA-256:51624D124EFA3EE31EF43CB3D9ECFE98254D629957063747F4CA7061543B14B9
                                                                                                                                                                            SHA-512:5DDC8C36538AB1415637B2FF6C35AED3A94639A0C2B0A36E256A1C4477AA5A356813D1368913BA3B6E8B770625CDCB94EE7BFC17FD7D324982CFE3BDEC2D32EB
                                                                                                                                                                            Malicious:false
                                                                                                                                                                            Preview:SQLite format 3......@ .......4...........!......................................................j............1........................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

                                                                                                                                                                            C:\Users\user\AppData\Local\Temp\heidisyO6NvG6vZji\D87fZN3R3jFeplaces.sqlite

                                                                                                                                                                            Download File
                                                                                                                                                                            Process:C:\Users\user\AppData\Local\RageMP131\RageMP131.exe
                                                                                                                                                                            File Type:SQLite 3.x database, user version 75, last written using SQLite version 3042000, page size 32768, writer version 2, read version 2, file counter 2, database pages 46, cookie 0x26, schema 4, UTF-8, version-valid-for 2
                                                                                                                                                                            Category:dropped
                                                                                                                                                                            Size (bytes):5242880
                                                                                                                                                                            Entropy (8bit):0.037963276276857943
                                                                                                                                                                            Encrypted:false
                                                                                                                                                                            SSDEEP:192:58rJQaXoMXp0VW9FxWZWdgokBQNba9D3DO/JxW/QHI:58r54w0VW3xWZWdOBQFal3dQ
                                                                                                                                                                            MD5:C0FDF21AE11A6D1FA1201D502614B622
                                                                                                                                                                            SHA1:11724034A1CC915B061316A96E79E9DA6A00ADE8
                                                                                                                                                                            SHA-256:FD4EB46C81D27A9B3669C0D249DF5CE2B49E5F37B42F917CA38AB8831121ADAC
                                                                                                                                                                            SHA-512:A6147C196B033725018C7F28C1E75E20C2113A0C6D8172F5EABCB8FF334EA6CE10B758FFD1D22D50B4DB5A0A21BCC15294AC44E94D973F7A3EB9F8558F31769B
                                                                                                                                                                            Malicious:false
                                                                                                                                                                            Preview:SQLite format 3......@ ...................&...................K..................................j.....-a>.~...|0{dz.z.z"y.y3x.xKw.v.u.uGt.t;sAs.q.p.q.p{o.ohn.nem.n,m9l.k.lPj.j.h.h.g.d.c.c6b.b.a.a>..................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

                                                                                                                                                                            C:\Users\user\AppData\Local\Temp\heidisyO6NvG6vZji\GUahzsMvIC8wHistory

                                                                                                                                                                            Download File
                                                                                                                                                                            Process:C:\Users\user\AppData\Local\RageMP131\RageMP131.exe
                                                                                                                                                                            File Type:SQLite 3.x database, last written using SQLite version 3042000, file counter 4, database pages 39, cookie 0x20, schema 4, UTF-8, version-valid-for 4
                                                                                                                                                                            Category:dropped
                                                                                                                                                                            Size (bytes):159744
                                                                                                                                                                            Entropy (8bit):0.7873599747470391
                                                                                                                                                                            Encrypted:false
                                                                                                                                                                            SSDEEP:96:pn6pld6px0c2EDKFm5wTmN8ewmdaDKFmJ4ee7vuejzH+bF+UIYysX0IxQzh/tsVL:8Ys3QMmRtH+bF+UI3iN0RSV0k3qLyj9v
                                                                                                                                                                            MD5:6A6BAD38068B0F6F2CADC6464C4FE8F0
                                                                                                                                                                            SHA1:4E3B235898D8E900548613DDB6EA59CDA5EB4E68
                                                                                                                                                                            SHA-256:0998615B274171FC74AAB4E70FD355AF513186B74A4EB07AAA883782E6497982
                                                                                                                                                                            SHA-512:BFE41E5AB5851C92308A097FE9DA4F215875AC2C7D7A483B066585071EE6086B5A7BE6D80CEC18027A3B88AA5C0A477730B22A41406A6AB344FCD9C659B9CB0A
                                                                                                                                                                            Malicious:false
                                                                                                                                                                            Preview:SQLite format 3......@ .......'........... ......................................................j.....................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

                                                                                                                                                                            C:\Users\user\AppData\Local\Temp\heidisyO6NvG6vZji\MBSHfyCuKHxNHistory

                                                                                                                                                                            Download File
                                                                                                                                                                            Process:C:\Users\user\AppData\Local\RageMP131\RageMP131.exe
                                                                                                                                                                            File Type:SQLite 3.x database, last written using SQLite version 3042000, file counter 4, database pages 39, cookie 0x20, schema 4, UTF-8, version-valid-for 4
                                                                                                                                                                            Category:dropped
                                                                                                                                                                            Size (bytes):159744
                                                                                                                                                                            Entropy (8bit):0.7873599747470391
                                                                                                                                                                            Encrypted:false
                                                                                                                                                                            SSDEEP:96:pn6pld6px0c2EDKFm5wTmN8ewmdaDKFmJ4ee7vuejzH+bF+UIYysX0IxQzh/tsVL:8Ys3QMmRtH+bF+UI3iN0RSV0k3qLyj9v
                                                                                                                                                                            MD5:6A6BAD38068B0F6F2CADC6464C4FE8F0
                                                                                                                                                                            SHA1:4E3B235898D8E900548613DDB6EA59CDA5EB4E68
                                                                                                                                                                            SHA-256:0998615B274171FC74AAB4E70FD355AF513186B74A4EB07AAA883782E6497982
                                                                                                                                                                            SHA-512:BFE41E5AB5851C92308A097FE9DA4F215875AC2C7D7A483B066585071EE6086B5A7BE6D80CEC18027A3B88AA5C0A477730B22A41406A6AB344FCD9C659B9CB0A
                                                                                                                                                                            Malicious:false
                                                                                                                                                                            Preview:SQLite format 3......@ .......'........... ......................................................j.....................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

                                                                                                                                                                            C:\Users\user\AppData\Local\Temp\heidisyO6NvG6vZji\MGPDw7uupP6KLogin Data

                                                                                                                                                                            Download File
                                                                                                                                                                            Process:C:\Users\user\AppData\Local\RageMP131\RageMP131.exe
                                                                                                                                                                            File Type:SQLite 3.x database, last written using SQLite version 3042000, page size 2048, file counter 1, database pages 20, cookie 0xb, schema 4, UTF-8, version-valid-for 1
                                                                                                                                                                            Category:dropped
                                                                                                                                                                            Size (bytes):40960
                                                                                                                                                                            Entropy (8bit):0.8553638852307782
                                                                                                                                                                            Encrypted:false
                                                                                                                                                                            SSDEEP:48:2x7BA+IIF7CVEq8Ma0D0HOlf/6ykwp1EUwMHZq10bvJKLkw8s8LKvUf9KVyJ7h/f:QNDCn8MouB6wz8iZqmvJKLPeymwil
                                                                                                                                                                            MD5:28222628A3465C5F0D4B28F70F97F482
                                                                                                                                                                            SHA1:1BAA3DEB7DFD7C9B4CA9FDB540F236C24917DD14
                                                                                                                                                                            SHA-256:93A6AF6939B17143531FA4474DFC564FA55359308B910E6F0DCA774D322C9BE4
                                                                                                                                                                            SHA-512:C8FB93F658C1A654186FA6AA2039E40791E6B0A1260B223272BB01279A7B574E238B28217DADF3E1850C7083ADFA2FE5DA0CCE6F9BCABD59E1FFD1061B3A88F7
                                                                                                                                                                            Malicious:false
                                                                                                                                                                            Preview:SQLite format 3......@ ..........................................................................j.....................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

                                                                                                                                                                            C:\Users\user\AppData\Local\Temp\heidisyO6NvG6vZji\NBCgMFNDNiM2Web Data

                                                                                                                                                                            Download File
                                                                                                                                                                            Process:C:\Users\user\AppData\Local\RageMP131\RageMP131.exe
                                                                                                                                                                            File Type:SQLite 3.x database, last written using SQLite version 3035005, page size 2048, file counter 2, database pages 56, cookie 0x24, schema 4, UTF-8, version-valid-for 2
                                                                                                                                                                            Category:dropped
                                                                                                                                                                            Size (bytes):114688
                                                                                                                                                                            Entropy (8bit):0.9746603542602881
                                                                                                                                                                            Encrypted:false
                                                                                                                                                                            SSDEEP:192:CwbUJ6IH9xhomnGCTjHbRjCLqtzKWJaW:CfJ6a9xpnQLqtzKWJn
                                                                                                                                                                            MD5:780853CDDEAEE8DE70F28A4B255A600B
                                                                                                                                                                            SHA1:AD7A5DA33F7AD12946153C497E990720B09005ED
                                                                                                                                                                            SHA-256:1055FF62DE3DEA7645C732583242ADF4164BDCFB9DD37D9B35BBB9510D59B0A3
                                                                                                                                                                            SHA-512:E422863112084BB8D11C682482E780CD63C2F20C8E3A93ED3B9EFD1B04D53EB5D3C8081851CA89B74D66F3D9AB48EB5F6C74550484F46E7C6E460A8250C9B1D8
                                                                                                                                                                            Malicious:false
                                                                                                                                                                            Preview:SQLite format 3......@ .......8...........$......................................................O}...........4........................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

                                                                                                                                                                            C:\Users\user\AppData\Local\Temp\heidisyO6NvG6vZji\SjNa0HpZUcV6Login Data For Account

                                                                                                                                                                            Download File
                                                                                                                                                                            Process:C:\Users\user\AppData\Local\RageMP131\RageMP131.exe
                                                                                                                                                                            File Type:SQLite 3.x database, last written using SQLite version 3042000, page size 2048, file counter 1, database pages 20, cookie 0xb, schema 4, UTF-8, version-valid-for 1
                                                                                                                                                                            Category:dropped
                                                                                                                                                                            Size (bytes):40960
                                                                                                                                                                            Entropy (8bit):0.8553638852307782
                                                                                                                                                                            Encrypted:false
                                                                                                                                                                            SSDEEP:48:2x7BA+IIF7CVEq8Ma0D0HOlf/6ykwp1EUwMHZq10bvJKLkw8s8LKvUf9KVyJ7h/f:QNDCn8MouB6wz8iZqmvJKLPeymwil
                                                                                                                                                                            MD5:28222628A3465C5F0D4B28F70F97F482
                                                                                                                                                                            SHA1:1BAA3DEB7DFD7C9B4CA9FDB540F236C24917DD14
                                                                                                                                                                            SHA-256:93A6AF6939B17143531FA4474DFC564FA55359308B910E6F0DCA774D322C9BE4
                                                                                                                                                                            SHA-512:C8FB93F658C1A654186FA6AA2039E40791E6B0A1260B223272BB01279A7B574E238B28217DADF3E1850C7083ADFA2FE5DA0CCE6F9BCABD59E1FFD1061B3A88F7
                                                                                                                                                                            Malicious:false
                                                                                                                                                                            Preview:SQLite format 3......@ ..........................................................................j.....................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

                                                                                                                                                                            C:\Users\user\AppData\Local\Temp\heidisyO6NvG6vZji\ToLgTrDbYUcjWeb Data

                                                                                                                                                                            Download File
                                                                                                                                                                            Process:C:\Users\user\AppData\Local\RageMP131\RageMP131.exe
                                                                                                                                                                            File Type:SQLite 3.x database, last written using SQLite version 3042000, page size 2048, file counter 3, database pages 52, cookie 0x21, schema 4, UTF-8, version-valid-for 3
                                                                                                                                                                            Category:dropped
                                                                                                                                                                            Size (bytes):106496
                                                                                                                                                                            Entropy (8bit):1.1358696453229276
                                                                                                                                                                            Encrypted:false
                                                                                                                                                                            SSDEEP:192:ZWTblyVZTnGtgTgabTanQeZVuSVumZa6c5/w4:MnlyfnGtxnfVuSVumEH544
                                                                                                                                                                            MD5:28591AA4E12D1C4FC761BE7C0A468622
                                                                                                                                                                            SHA1:BC4968A84C19377D05A8BB3F208FBFAC49F4820B
                                                                                                                                                                            SHA-256:51624D124EFA3EE31EF43CB3D9ECFE98254D629957063747F4CA7061543B14B9
                                                                                                                                                                            SHA-512:5DDC8C36538AB1415637B2FF6C35AED3A94639A0C2B0A36E256A1C4477AA5A356813D1368913BA3B6E8B770625CDCB94EE7BFC17FD7D324982CFE3BDEC2D32EB
                                                                                                                                                                            Malicious:false
                                                                                                                                                                            Preview:SQLite format 3......@ .......4...........!......................................................j............1........................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

                                                                                                                                                                            C:\Users\user\AppData\Local\Temp\heidisyO6NvG6vZji\Tx9lIpMUG2zOWeb Data

                                                                                                                                                                            Download File
                                                                                                                                                                            Process:C:\Users\user\AppData\Local\RageMP131\RageMP131.exe
                                                                                                                                                                            File Type:SQLite 3.x database, last written using SQLite version 3042000, page size 2048, file counter 3, database pages 52, cookie 0x21, schema 4, UTF-8, version-valid-for 3
                                                                                                                                                                            Category:dropped
                                                                                                                                                                            Size (bytes):106496
                                                                                                                                                                            Entropy (8bit):1.1358696453229276
                                                                                                                                                                            Encrypted:false
                                                                                                                                                                            SSDEEP:192:ZWTblyVZTnGtgTgabTanQeZVuSVumZa6c5/w4:MnlyfnGtxnfVuSVumEH544
                                                                                                                                                                            MD5:28591AA4E12D1C4FC761BE7C0A468622
                                                                                                                                                                            SHA1:BC4968A84C19377D05A8BB3F208FBFAC49F4820B
                                                                                                                                                                            SHA-256:51624D124EFA3EE31EF43CB3D9ECFE98254D629957063747F4CA7061543B14B9
                                                                                                                                                                            SHA-512:5DDC8C36538AB1415637B2FF6C35AED3A94639A0C2B0A36E256A1C4477AA5A356813D1368913BA3B6E8B770625CDCB94EE7BFC17FD7D324982CFE3BDEC2D32EB
                                                                                                                                                                            Malicious:false
                                                                                                                                                                            Preview:SQLite format 3......@ .......4...........!......................................................j............1........................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

                                                                                                                                                                            C:\Users\user\AppData\Local\Temp\heidisyO6NvG6vZji\UyyA_zbRMLWeHistory

                                                                                                                                                                            Download File
                                                                                                                                                                            Process:C:\Users\user\AppData\Local\RageMP131\RageMP131.exe
                                                                                                                                                                            File Type:SQLite 3.x database, last written using SQLite version 3035005, file counter 2, database pages 31, cookie 0x18, schema 4, UTF-8, version-valid-for 2
                                                                                                                                                                            Category:dropped
                                                                                                                                                                            Size (bytes):126976
                                                                                                                                                                            Entropy (8bit):0.47147045728725767
                                                                                                                                                                            Encrypted:false
                                                                                                                                                                            SSDEEP:96:/WU+bDoYysX0uhnyTpvVjN9DLjGQLBE3u:/l+bDo3irhnyTpvVj3XBBE3u
                                                                                                                                                                            MD5:A2D1F4CF66465F9F0CAC61C4A95C7EDE
                                                                                                                                                                            SHA1:BA6A845E247B221AAEC96C4213E1FD3744B10A27
                                                                                                                                                                            SHA-256:B510DF8D67E38DCAE51FE97A3924228AD37CF823999FD3BC6BA44CA6535DE8FE
                                                                                                                                                                            SHA-512:C571E5125C005EAC0F0B72B5F132AE03783AF8D621BFA32B366B0E8A825EF8F65E33CD330E42BDC722BFA012E3447A7218F05FDD4A5AD855C1CA22DFA2F79838
                                                                                                                                                                            Malicious:false
                                                                                                                                                                            Preview:SQLite format 3......@ ..........................................................................O}....................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

                                                                                                                                                                            C:\Users\user\AppData\Local\Temp\heidisyO6NvG6vZji\W_RHKqX26M1cHistory

                                                                                                                                                                            Download File
                                                                                                                                                                            Process:C:\Users\user\AppData\Local\RageMP131\RageMP131.exe
                                                                                                                                                                            File Type:SQLite 3.x database, last written using SQLite version 3035005, file counter 2, database pages 31, cookie 0x18, schema 4, UTF-8, version-valid-for 2
                                                                                                                                                                            Category:dropped
                                                                                                                                                                            Size (bytes):126976
                                                                                                                                                                            Entropy (8bit):0.47147045728725767
                                                                                                                                                                            Encrypted:false
                                                                                                                                                                            SSDEEP:96:/WU+bDoYysX0uhnyTpvVjN9DLjGQLBE3u:/l+bDo3irhnyTpvVj3XBBE3u
                                                                                                                                                                            MD5:A2D1F4CF66465F9F0CAC61C4A95C7EDE
                                                                                                                                                                            SHA1:BA6A845E247B221AAEC96C4213E1FD3744B10A27
                                                                                                                                                                            SHA-256:B510DF8D67E38DCAE51FE97A3924228AD37CF823999FD3BC6BA44CA6535DE8FE
                                                                                                                                                                            SHA-512:C571E5125C005EAC0F0B72B5F132AE03783AF8D621BFA32B366B0E8A825EF8F65E33CD330E42BDC722BFA012E3447A7218F05FDD4A5AD855C1CA22DFA2F79838
                                                                                                                                                                            Malicious:false
                                                                                                                                                                            Preview:SQLite format 3......@ ..........................................................................O}....................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

                                                                                                                                                                            C:\Users\user\AppData\Local\Temp\heidisyO6NvG6vZji\_EJYNzOMy_83Login Data

                                                                                                                                                                            Download File
                                                                                                                                                                            Process:C:\Users\user\AppData\Local\RageMP131\RageMP131.exe
                                                                                                                                                                            File Type:SQLite 3.x database, last written using SQLite version 3035005, page size 2048, file counter 1, database pages 24, cookie 0xe, schema 4, UTF-8, version-valid-for 1
                                                                                                                                                                            Category:dropped
                                                                                                                                                                            Size (bytes):49152
                                                                                                                                                                            Entropy (8bit):0.8180424350137764
                                                                                                                                                                            Encrypted:false
                                                                                                                                                                            SSDEEP:96:uRMKLyeymwxCn8MZyFlSynlbiXyKwt8hG:uRkxGOXnlbibhG
                                                                                                                                                                            MD5:349E6EB110E34A08924D92F6B334801D
                                                                                                                                                                            SHA1:BDFB289DAFF51890CC71697B6322AA4B35EC9169
                                                                                                                                                                            SHA-256:C9FD7BE4579E4AA942E8C2B44AB10115FA6C2FE6AFD0C584865413D9D53F3B2A
                                                                                                                                                                            SHA-512:2A635B815A5E117EA181EE79305EE1BAF591459427ACC5210D8C6C7E447BE3513EAD871C605EB3D32E4AB4111B2A335F26520D0EF8C1245A4AF44E1FAEC44574
                                                                                                                                                                            Malicious:false
                                                                                                                                                                            Preview:SQLite format 3......@ ..........................................................................O}....................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

                                                                                                                                                                            C:\Users\user\AppData\Local\Temp\heidisyO6NvG6vZji\hZAEvdPucF1VCookies

                                                                                                                                                                            Download File
                                                                                                                                                                            Process:C:\Users\user\AppData\Local\RageMP131\RageMP131.exe
                                                                                                                                                                            File Type:SQLite 3.x database, last written using SQLite version 3042000, file counter 11, database pages 7, cookie 0x3, schema 4, UTF-8, version-valid-for 11
                                                                                                                                                                            Category:dropped
                                                                                                                                                                            Size (bytes):28672
                                                                                                                                                                            Entropy (8bit):2.5793180405395284
                                                                                                                                                                            Encrypted:false
                                                                                                                                                                            SSDEEP:96:/xealJiylsMjLslk5nYPphZEhcR2hO2mOeVgN8tmKqWkh3qzRk4PeOhZ3hcR1hOI:/xGZR8wbtxq5uWRHKloIN7YItnb6Ggz
                                                                                                                                                                            MD5:41EA9A4112F057AE6BA17E2838AEAC26
                                                                                                                                                                            SHA1:F2B389103BFD1A1A050C4857A995B09FEAFE8903
                                                                                                                                                                            SHA-256:CE84656EAEFC842355D668E7141F84383D3A0C819AE01B26A04F9021EF0AC9DB
                                                                                                                                                                            SHA-512:29E848AD16D458F81D8C4F4E288094B4CFC103AD99B4511ED1A4846542F9128736A87AAC5F4BFFBEFE7DF99A05EB230911EDCE99FEE3877DEC130C2781962103
                                                                                                                                                                            Malicious:false
                                                                                                                                                                            Preview:SQLite format 3......@ ..........................................................................j..........g...$......................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

                                                                                                                                                                            C:\Users\user\AppData\Local\Temp\heidisyO6NvG6vZji\ixjTP3QSda4xWeb Data

                                                                                                                                                                            Download File
                                                                                                                                                                            Process:C:\Users\user\AppData\Local\RageMP131\RageMP131.exe
                                                                                                                                                                            File Type:SQLite 3.x database, last written using SQLite version 3035005, page size 2048, file counter 2, database pages 56, cookie 0x24, schema 4, UTF-8, version-valid-for 2
                                                                                                                                                                            Category:dropped
                                                                                                                                                                            Size (bytes):114688
                                                                                                                                                                            Entropy (8bit):0.9746603542602881
                                                                                                                                                                            Encrypted:false
                                                                                                                                                                            SSDEEP:192:CwbUJ6IH9xhomnGCTjHbRjCLqtzKWJaW:CfJ6a9xpnQLqtzKWJn
                                                                                                                                                                            MD5:780853CDDEAEE8DE70F28A4B255A600B
                                                                                                                                                                            SHA1:AD7A5DA33F7AD12946153C497E990720B09005ED
                                                                                                                                                                            SHA-256:1055FF62DE3DEA7645C732583242ADF4164BDCFB9DD37D9B35BBB9510D59B0A3
                                                                                                                                                                            SHA-512:E422863112084BB8D11C682482E780CD63C2F20C8E3A93ED3B9EFD1B04D53EB5D3C8081851CA89B74D66F3D9AB48EB5F6C74550484F46E7C6E460A8250C9B1D8
                                                                                                                                                                            Malicious:false
                                                                                                                                                                            Preview:SQLite format 3......@ .......8...........$......................................................O}...........4........................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

                                                                                                                                                                            C:\Users\user\AppData\Local\Temp\heidisyO6NvG6vZji\yzmVLlOHIOgjWeb Data

                                                                                                                                                                            Download File
                                                                                                                                                                            Process:C:\Users\user\AppData\Local\RageMP131\RageMP131.exe
                                                                                                                                                                            File Type:SQLite 3.x database, last written using SQLite version 3035005, page size 2048, file counter 2, database pages 56, cookie 0x24, schema 4, UTF-8, version-valid-for 2
                                                                                                                                                                            Category:dropped
                                                                                                                                                                            Size (bytes):114688
                                                                                                                                                                            Entropy (8bit):0.9746603542602881
                                                                                                                                                                            Encrypted:false
                                                                                                                                                                            SSDEEP:192:CwbUJ6IH9xhomnGCTjHbRjCLqtzKWJaW:CfJ6a9xpnQLqtzKWJn
                                                                                                                                                                            MD5:780853CDDEAEE8DE70F28A4B255A600B
                                                                                                                                                                            SHA1:AD7A5DA33F7AD12946153C497E990720B09005ED
                                                                                                                                                                            SHA-256:1055FF62DE3DEA7645C732583242ADF4164BDCFB9DD37D9B35BBB9510D59B0A3
                                                                                                                                                                            SHA-512:E422863112084BB8D11C682482E780CD63C2F20C8E3A93ED3B9EFD1B04D53EB5D3C8081851CA89B74D66F3D9AB48EB5F6C74550484F46E7C6E460A8250C9B1D8
                                                                                                                                                                            Malicious:false
                                                                                                                                                                            Preview:SQLite format 3......@ .......8...........$......................................................O}...........4........................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

                                                                                                                                                                            C:\Users\user\AppData\Local\Temp\rage131MP.tmp

                                                                                                                                                                            Download File
                                                                                                                                                                            Process:C:\Users\user\Desktop\file.exe
                                                                                                                                                                            File Type:ASCII text, with no line terminators
                                                                                                                                                                            Category:dropped
                                                                                                                                                                            Size (bytes):13
                                                                                                                                                                            Entropy (8bit):2.199687794731328
                                                                                                                                                                            Encrypted:false
                                                                                                                                                                            SSDEEP:3:L4WR9:UW9
                                                                                                                                                                            MD5:61B8C0C37BA2ADCB4446CB9F5FCC2E64
                                                                                                                                                                            SHA1:7B6AF136B68774E261CEAA9180A922B27A0A9B2B
                                                                                                                                                                            SHA-256:6C721B28161D3ED3921CECAD8B48FE080F6D00E30119FD6B5CC0978B9C1DA466
                                                                                                                                                                            SHA-512:61EB976E56ADEDB673BA713DE678DA6182B661F5533CB98F07EC651794BFDC10BA53410C8F4ED7F6BB6DD15C8E567366A060B593F18354B83207523293B9F4CA
                                                                                                                                                                            Malicious:false
                                                                                                                                                                            Preview:1713433884181

                                                                                                                                                                            C:\Windows\appcompat\Programs\Amcache.hve

                                                                                                                                                                            Download File
                                                                                                                                                                            Process:C:\Windows\SysWOW64\WerFault.exe
                                                                                                                                                                            File Type:MS Windows registry file, NT/2000 or above
                                                                                                                                                                            Category:dropped
                                                                                                                                                                            Size (bytes):1835008
                                                                                                                                                                            Entropy (8bit):4.465309802705716
                                                                                                                                                                            Encrypted:false
                                                                                                                                                                            SSDEEP:6144:RIXfpi67eLPU9skLmb0b4+WSPKaJG8nAgejZMMhA2gX4WABl0uNPdwBCswSbm:yXD94+WlLZMM6YFH1+m
                                                                                                                                                                            MD5:459B942B14E985B33025DAA58E9C96CB
                                                                                                                                                                            SHA1:655FF6794D298D9E54F8BE70AE821BE0CC3B903B
                                                                                                                                                                            SHA-256:852F15DFE2454BFCE309BE7065D35C515C57755FF326C01AF33045467E308106
                                                                                                                                                                            SHA-512:392DD067F9D6957B83992737000472354EDA839F0537E714355175D1C307FE117BE66C0CF1B1332F49BCB68D601D92CE1E2612D42673A130B6603CCA0727A3DB
                                                                                                                                                                            Malicious:false
                                                                                                                                                                            Preview:regf@...@....\.Z.................... ...........\.A.p.p.C.o.m.p.a.t.\.P.r.o.g.r.a.m.s.\.A.m.c.a.c.h.e...h.v.e....c...b...#.......c...b...#...........c...b...#......rmtm...xj...............................................................................................................................................................................................................................................................................................................................................J.8L........................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

                                                                                                                                                                            Static File Info

                                                                                                                                                                            General

                                                                                                                                                                            File type:PE32 executable (GUI) Intel 80386, for MS Windows
                                                                                                                                                                            Entropy (8bit):7.713192136777905
                                                                                                                                                                            TrID:
                                                                                                                                                                            • Win32 Executable (generic) a (10002005/4) 99.94%
                                                                                                                                                                            • Clipper DOS Executable (2020/12) 0.02%
                                                                                                                                                                            • Generic Win/DOS Executable (2004/3) 0.02%
                                                                                                                                                                            • DOS Executable Generic (2002/1) 0.02%
                                                                                                                                                                            • VXD Driver (31/22) 0.00%
                                                                                                                                                                            File name:file.exe
                                                                                                                                                                            File size:962'560 bytes
                                                                                                                                                                            MD5:265d5b8b9f603f0f5ef62f2c27449607
                                                                                                                                                                            SHA1:39576d6d8388dea489946141dbccf9cf5fe3a28f
                                                                                                                                                                            SHA256:948d096a3931a22f116b93ffeefb3a374834d8eb578620c0ffc83f3e468eed81
                                                                                                                                                                            SHA512:9d4ac79a62fbd0cb1d76c48848af7863dda72bd16368250a2258b3d30a4dddcb24c38ac62555222706041a5073cbc39d291b14ecdf222c7e04add5374403af66
                                                                                                                                                                            SSDEEP:12288:oekLV5eBOkw6Qhe4Yh5wV/uVJuEk6sP4lX8DbDK45dg/bdlh84LZ8Xt8quJsHmrE:on6rhau/OglUbD5yb5LLuXBuJsH4
                                                                                                                                                                            TLSH:EF25010277D1A8B1EE734A325E79D6A46A3EFC218E143B7B2B9C1D1F04710A1D672772
                                                                                                                                                                            File Content Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......................................................................................................PE..L....0.e...................

                                                                                                                                                                            File Icon

                                                                                                                                                                            Icon Hash:494d496505514519

                                                                                                                                                                            Static PE Info

                                                                                                                                                                            General

                                                                                                                                                                            Entrypoint:0x4067b5
                                                                                                                                                                            Entrypoint Section:.text
                                                                                                                                                                            Digitally signed:false
                                                                                                                                                                            Imagebase:0x400000
                                                                                                                                                                            Subsystem:windows gui
                                                                                                                                                                            Image File Characteristics:RELOCS_STRIPPED, EXECUTABLE_IMAGE, 32BIT_MACHINE
                                                                                                                                                                            DLL Characteristics:TERMINAL_SERVER_AWARE
                                                                                                                                                                            Time Stamp:0x650B30FA [Wed Sep 20 17:50:50 2023 UTC]
                                                                                                                                                                            TLS Callbacks:
                                                                                                                                                                            CLR (.Net) Version:
                                                                                                                                                                            OS Version Major:5
                                                                                                                                                                            OS Version Minor:1
                                                                                                                                                                            File Version Major:5
                                                                                                                                                                            File Version Minor:1
                                                                                                                                                                            Subsystem Version Major:5
                                                                                                                                                                            Subsystem Version Minor:1
                                                                                                                                                                            Import Hash:3c62679fe3cea3c660b4a0b83c80e478

                                                                                                                                                                            Entrypoint Preview

                                                                                                                                                                            Instruction
                                                                                                                                                                            call 00007F989D24CA4Dh
                                                                                                                                                                            jmp 00007F989D2428A5h
                                                                                                                                                                            push 00000014h
                                                                                                                                                                            push 004222D0h
                                                                                                                                                                            call 00007F989D249E6Ah
                                                                                                                                                                            call 00007F989D244CF9h
                                                                                                                                                                            movzx esi, ax
                                                                                                                                                                            push 00000002h
                                                                                                                                                                            call 00007F989D24C9E0h
                                                                                                                                                                            pop ecx
                                                                                                                                                                            mov eax, 00005A4Dh
                                                                                                                                                                            cmp word ptr [00400000h], ax
                                                                                                                                                                            je 00007F989D2428A6h
                                                                                                                                                                            xor ebx, ebx
                                                                                                                                                                            jmp 00007F989D2428D5h
                                                                                                                                                                            mov eax, dword ptr [0040003Ch]
                                                                                                                                                                            cmp dword ptr [eax+00400000h], 00004550h
                                                                                                                                                                            jne 00007F989D24288Dh
                                                                                                                                                                            mov ecx, 0000010Bh
                                                                                                                                                                            cmp word ptr [eax+00400018h], cx
                                                                                                                                                                            jne 00007F989D24287Fh
                                                                                                                                                                            xor ebx, ebx
                                                                                                                                                                            cmp dword ptr [eax+00400074h], 0Eh
                                                                                                                                                                            jbe 00007F989D2428ABh
                                                                                                                                                                            cmp dword ptr [eax+004000E8h], ebx
                                                                                                                                                                            setne bl
                                                                                                                                                                            mov dword ptr [ebp-1Ch], ebx
                                                                                                                                                                            call 00007F989D2499C0h
                                                                                                                                                                            test eax, eax
                                                                                                                                                                            jne 00007F989D2428AAh
                                                                                                                                                                            push 0000001Ch
                                                                                                                                                                            call 00007F989D242981h
                                                                                                                                                                            pop ecx
                                                                                                                                                                            call 00007F989D248E84h
                                                                                                                                                                            test eax, eax
                                                                                                                                                                            jne 00007F989D2428AAh
                                                                                                                                                                            push 00000010h
                                                                                                                                                                            call 00007F989D242970h
                                                                                                                                                                            pop ecx
                                                                                                                                                                            call 00007F989D24CA59h
                                                                                                                                                                            and dword ptr [ebp-04h], 00000000h
                                                                                                                                                                            call 00007F989D24BBFFh
                                                                                                                                                                            test eax, eax
                                                                                                                                                                            jns 00007F989D2428AAh
                                                                                                                                                                            push 0000001Bh
                                                                                                                                                                            call 00007F989D242956h
                                                                                                                                                                            pop ecx
                                                                                                                                                                            call dword ptr [0041A0CCh]
                                                                                                                                                                            mov dword ptr [02DB91C4h], eax
                                                                                                                                                                            call 00007F989D24CA74h
                                                                                                                                                                            mov dword ptr [004DD98Ch], eax
                                                                                                                                                                            call 00007F989D24C417h
                                                                                                                                                                            test eax, eax
                                                                                                                                                                            jns 00007F989D2428AAh

                                                                                                                                                                            Data Directories

                                                                                                                                                                            NameVirtual AddressVirtual Size Is in Section
                                                                                                                                                                            IMAGE_DIRECTORY_ENTRY_EXPORT0x00x0
                                                                                                                                                                            IMAGE_DIRECTORY_ENTRY_IMPORT0x228840x64.rdata
                                                                                                                                                                            IMAGE_DIRECTORY_ENTRY_RESOURCE0x29ba0000xf070.rsrc
                                                                                                                                                                            IMAGE_DIRECTORY_ENTRY_EXCEPTION0x00x0
                                                                                                                                                                            IMAGE_DIRECTORY_ENTRY_SECURITY0x00x0
                                                                                                                                                                            IMAGE_DIRECTORY_ENTRY_BASERELOC0x00x0
                                                                                                                                                                            IMAGE_DIRECTORY_ENTRY_DEBUG0x1a2200x38.rdata
                                                                                                                                                                            IMAGE_DIRECTORY_ENTRY_COPYRIGHT0x00x0
                                                                                                                                                                            IMAGE_DIRECTORY_ENTRY_GLOBALPTR0x00x0
                                                                                                                                                                            IMAGE_DIRECTORY_ENTRY_TLS0x213680x18.rdata
                                                                                                                                                                            IMAGE_DIRECTORY_ENTRY_LOAD_CONFIG0x213200x40.rdata
                                                                                                                                                                            IMAGE_DIRECTORY_ENTRY_BOUND_IMPORT0x00x0
                                                                                                                                                                            IMAGE_DIRECTORY_ENTRY_IAT0x1a0000x198.rdata
                                                                                                                                                                            IMAGE_DIRECTORY_ENTRY_DELAY_IMPORT0x00x0
                                                                                                                                                                            IMAGE_DIRECTORY_ENTRY_COM_DESCRIPTOR0x00x0
                                                                                                                                                                            IMAGE_DIRECTORY_ENTRY_RESERVED0x00x0

                                                                                                                                                                            Sections

                                                                                                                                                                            NameVirtual AddressVirtual SizeRaw SizeMD5Xored PEZLIB ComplexityFile TypeEntropyCharacteristics
                                                                                                                                                                            .text0x10000x18eda0x1900062509bf8fa0c58ad883b5af906ba6344False0.57759765625data6.673644768223166IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ
                                                                                                                                                                            .rdata0x1a0000x91ea0x92008a1f7187b1a9fd064604f3ba4e748abfFalse0.3885916095890411data4.872361647984149IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ
                                                                                                                                                                            .data0x240000x29951c80xb9800e11d86f420c67affac608849e8346fe7unknownunknownunknownunknownIMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE
                                                                                                                                                                            .rsrc0x29ba0000xf0700xf20088e084c96dffdc92e0d0ced1e6ab08cdFalse0.3863313533057851data4.364357540847168IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ

                                                                                                                                                                            Resources

                                                                                                                                                                            NameRVASizeTypeLanguageCountryZLIB Complexity
                                                                                                                                                                            RT_CURSOR0x29c59980x130Device independent bitmap graphic, 32 x 64 x 1, image size 00.4375
                                                                                                                                                                            RT_CURSOR0x29c5ac80xb0Device independent bitmap graphic, 16 x 32 x 1, image size 00.44886363636363635
                                                                                                                                                                            RT_CURSOR0x29c5ba00xea8Device independent bitmap graphic, 48 x 96 x 8, image size 00.27238805970149255
                                                                                                                                                                            RT_CURSOR0x29c6a480x8a8Device independent bitmap graphic, 32 x 64 x 8, image size 00.375
                                                                                                                                                                            RT_CURSOR0x29c72f00x568Device independent bitmap graphic, 16 x 32 x 8, image size 00.5057803468208093
                                                                                                                                                                            RT_ICON0x29ba5e00xea8Device independent bitmap graphic, 48 x 96 x 8, image size 0RomanianRomania0.35794243070362475
                                                                                                                                                                            RT_ICON0x29bb4880x8a8Device independent bitmap graphic, 32 x 64 x 8, image size 0RomanianRomania0.4729241877256318
                                                                                                                                                                            RT_ICON0x29bbd300x25a8Device independent bitmap graphic, 48 x 96 x 32, image size 0RomanianRomania0.4627593360995851
                                                                                                                                                                            RT_ICON0x29be2d80x10a8Device independent bitmap graphic, 32 x 64 x 32, image size 0RomanianRomania0.47162288930581614
                                                                                                                                                                            RT_ICON0x29bf3800x468Device independent bitmap graphic, 16 x 32 x 32, image size 0RomanianRomania0.5
                                                                                                                                                                            RT_ICON0x29bf8380xea8Device independent bitmap graphic, 48 x 96 x 8, image size 0RomanianRomania0.4925373134328358
                                                                                                                                                                            RT_ICON0x29c06e00x8a8Device independent bitmap graphic, 32 x 64 x 8, image size 0RomanianRomania0.4675090252707581
                                                                                                                                                                            RT_ICON0x29c0f880x568Device independent bitmap graphic, 16 x 32 x 8, image size 0RomanianRomania0.43713872832369943
                                                                                                                                                                            RT_ICON0x29c14f00x25a8Device independent bitmap graphic, 48 x 96 x 32, image size 0RomanianRomania0.27717842323651454
                                                                                                                                                                            RT_ICON0x29c3a980x10a8Device independent bitmap graphic, 32 x 64 x 32, image size 0RomanianRomania0.2901031894934334
                                                                                                                                                                            RT_ICON0x29c4b400x988Device independent bitmap graphic, 24 x 48 x 32, image size 0RomanianRomania0.31188524590163935
                                                                                                                                                                            RT_ICON0x29c54c80x468Device independent bitmap graphic, 16 x 32 x 32, image size 0RomanianRomania0.3351063829787234
                                                                                                                                                                            RT_STRING0x29c7a680x46edataRomanianRomania0.4470899470899471
                                                                                                                                                                            RT_STRING0x29c7ed80x5e6dataRomanianRomania0.43112582781456954
                                                                                                                                                                            RT_STRING0x29c84c00x1d6dataRomanianRomania0.48723404255319147
                                                                                                                                                                            RT_STRING0x29c86980x2b4dataRomanianRomania0.4956647398843931
                                                                                                                                                                            RT_STRING0x29c89500x4cedataRomanianRomania0.45447154471544715
                                                                                                                                                                            RT_STRING0x29c8e200x250dataRomanianRomania0.48817567567567566
                                                                                                                                                                            RT_GROUP_CURSOR0x29c5b780x22data1.0588235294117647
                                                                                                                                                                            RT_GROUP_CURSOR0x29c78580x30data0.9375
                                                                                                                                                                            RT_GROUP_ICON0x29bf7e80x4cdataRomanianRomania0.75
                                                                                                                                                                            RT_GROUP_ICON0x29c59300x68dataRomanianRomania0.7115384615384616
                                                                                                                                                                            RT_VERSION0x29c78880x1e0data0.5541666666666667

                                                                                                                                                                            Imports

                                                                                                                                                                            DLLImport
                                                                                                                                                                            KERNEL32.dllGetNumaProcessorNode, GetLocaleInfoA, LoadLibraryExW, GetUserDefaultLCID, CreateHardLinkA, GetNumberFormatA, GlobalFindAtomA, LoadLibraryW, ReadConsoleInputA, WriteConsoleW, GetModuleFileNameW, GetCompressedFileSizeA, SetThreadLocale, GetLastError, FindVolumeMountPointClose, VirtualAlloc, CreateTimerQueueTimer, CopyFileA, FindFirstChangeNotificationW, LocalAlloc, GetExitCodeThread, AddAtomW, RemoveDirectoryW, SetCommMask, GetOEMCP, VirtualProtect, SetCalendarInfoA, GetWindowsDirectoryW, GetCurrentProcessId, AddConsoleAliasA, GetTempPathA, WriteProcessMemory, SetFileAttributesW, GetVolumeInformationW, CreateThread, CreateFileW, SetStdHandle, DebugActiveProcess, OutputDebugStringW, FlushFileBuffers, WideCharToMultiByte, MultiByteToWideChar, GetStringTypeW, EncodePointer, DecodePointer, EnterCriticalSection, LeaveCriticalSection, DeleteCriticalSection, HeapFree, GetCommandLineA, GetCPInfo, RaiseException, RtlUnwind, HeapAlloc, IsProcessorFeaturePresent, UnhandledExceptionFilter, SetUnhandledExceptionFilter, SetLastError, InitializeCriticalSectionAndSpinCount, Sleep, GetCurrentProcess, TerminateProcess, TlsAlloc, TlsGetValue, TlsSetValue, TlsFree, GetStartupInfoW, GetModuleHandleW, GetProcAddress, LCMapStringW, GetLocaleInfoW, IsValidLocale, EnumSystemLocalesW, IsValidCodePage, GetACP, GetCurrentThreadId, IsDebuggerPresent, GetProcessHeap, ExitProcess, GetModuleHandleExW, HeapSize, GetStdHandle, GetFileType, CloseHandle, GetModuleFileNameA, WriteFile, QueryPerformanceCounter, GetSystemTimeAsFileTime, GetEnvironmentStringsW, FreeEnvironmentStringsW, HeapReAlloc, ReadFile, SetFilePointerEx, GetConsoleCP, GetConsoleMode
                                                                                                                                                                            USER32.dllGetMenuItemID
                                                                                                                                                                            GDI32.dllGetCharacterPlacementW
                                                                                                                                                                            WINHTTP.dllWinHttpReadData

                                                                                                                                                                            Possible Origin

                                                                                                                                                                            Language of compilation systemCountry where language is spokenMap
                                                                                                                                                                            RomanianRomania

                                                                                                                                                                            Network Behavior

                                                                                                                                                                            Snort IDS Alerts

                                                                                                                                                                            TimestampProtocolSIDMessageSource PortDest PortSource IPDest IP
                                                                                                                                                                            04/18/24-10:30:16.680980TCP2046269ET TROJAN [ANY.RUN] RisePro TCP (Activity)4974058709192.168.2.4147.45.47.93
                                                                                                                                                                            04/18/24-10:29:08.862568TCP2046267ET TROJAN [ANY.RUN] RisePro TCP (External IP)5870949730147.45.47.93192.168.2.4
                                                                                                                                                                            04/18/24-10:29:04.926205TCP2046266ET TROJAN [ANY.RUN] RisePro TCP (Token)5870949730147.45.47.93192.168.2.4
                                                                                                                                                                            04/18/24-10:29:38.779297TCP2046269ET TROJAN [ANY.RUN] RisePro TCP (Activity)4973058709192.168.2.4147.45.47.93
                                                                                                                                                                            04/18/24-10:30:10.701508TCP2046269ET TROJAN [ANY.RUN] RisePro TCP (Activity)4974658709192.168.2.4147.45.47.93
                                                                                                                                                                            04/18/24-10:30:15.638714TCP2046269ET TROJAN [ANY.RUN] RisePro TCP (Activity)4974758709192.168.2.4147.45.47.93
                                                                                                                                                                            04/18/24-10:29:04.737548TCP2049060ET TROJAN RisePro TCP Heartbeat Packet4973058709192.168.2.4147.45.47.93
                                                                                                                                                                            04/18/24-10:30:04.701296TCP2046269ET TROJAN [ANY.RUN] RisePro TCP (Activity)4973958709192.168.2.4147.45.47.93
                                                                                                                                                                            04/18/24-10:29:35.017563TCP2046267ET TROJAN [ANY.RUN] RisePro TCP (External IP)5870949739147.45.47.93192.168.2.4
                                                                                                                                                                            04/18/24-10:30:09.489545TCP2046266ET TROJAN [ANY.RUN] RisePro TCP (Token)5870949747147.45.47.93192.168.2.4
                                                                                                                                                                            04/18/24-10:29:31.522217TCP2046266ET TROJAN [ANY.RUN] RisePro TCP (Token)5870949739147.45.47.93192.168.2.4
                                                                                                                                                                            04/18/24-10:29:40.034897TCP2046266ET TROJAN [ANY.RUN] RisePro TCP (Token)5870949740147.45.47.93192.168.2.4
                                                                                                                                                                            04/18/24-10:30:07.590057TCP2046266ET TROJAN [ANY.RUN] RisePro TCP (Token)5870949746147.45.47.93192.168.2.4
                                                                                                                                                                            04/18/24-10:30:11.578830TCP2046267ET TROJAN [ANY.RUN] RisePro TCP (External IP)5870949746147.45.47.93192.168.2.4
                                                                                                                                                                            04/18/24-10:30:11.622681TCP2046267ET TROJAN [ANY.RUN] RisePro TCP (External IP)5870949747147.45.47.93192.168.2.4

                                                                                                                                                                            Network Port Distribution

                                                                                                                                                                            TCP Packets

                                                                                                                                                                            TimestampSource PortDest PortSource IPDest IP
                                                                                                                                                                            Apr 18, 2024 10:29:04.480011940 CEST4973058709192.168.2.4147.45.47.93
                                                                                                                                                                            Apr 18, 2024 10:29:04.701898098 CEST5870949730147.45.47.93192.168.2.4
                                                                                                                                                                            Apr 18, 2024 10:29:04.704449892 CEST4973058709192.168.2.4147.45.47.93
                                                                                                                                                                            Apr 18, 2024 10:29:04.737548113 CEST4973058709192.168.2.4147.45.47.93
                                                                                                                                                                            Apr 18, 2024 10:29:04.926204920 CEST5870949730147.45.47.93192.168.2.4
                                                                                                                                                                            Apr 18, 2024 10:29:04.982208014 CEST4973058709192.168.2.4147.45.47.93
                                                                                                                                                                            Apr 18, 2024 10:29:04.999844074 CEST5870949730147.45.47.93192.168.2.4
                                                                                                                                                                            Apr 18, 2024 10:29:08.048443079 CEST4973058709192.168.2.4147.45.47.93
                                                                                                                                                                            Apr 18, 2024 10:29:08.310342073 CEST5870949730147.45.47.93192.168.2.4
                                                                                                                                                                            Apr 18, 2024 10:29:08.862567902 CEST5870949730147.45.47.93192.168.2.4
                                                                                                                                                                            Apr 18, 2024 10:29:08.966583967 CEST4973058709192.168.2.4147.45.47.93
                                                                                                                                                                            Apr 18, 2024 10:29:10.555253029 CEST5870949730147.45.47.93192.168.2.4
                                                                                                                                                                            Apr 18, 2024 10:29:10.654092073 CEST4973058709192.168.2.4147.45.47.93
                                                                                                                                                                            Apr 18, 2024 10:29:13.153161049 CEST5870949730147.45.47.93192.168.2.4
                                                                                                                                                                            Apr 18, 2024 10:29:13.263562918 CEST4973058709192.168.2.4147.45.47.93
                                                                                                                                                                            Apr 18, 2024 10:29:13.321137905 CEST4973058709192.168.2.4147.45.47.93
                                                                                                                                                                            Apr 18, 2024 10:29:13.588752985 CEST5870949730147.45.47.93192.168.2.4
                                                                                                                                                                            Apr 18, 2024 10:29:18.163747072 CEST49737443192.168.2.434.117.186.192
                                                                                                                                                                            Apr 18, 2024 10:29:18.163796902 CEST4434973734.117.186.192192.168.2.4
                                                                                                                                                                            Apr 18, 2024 10:29:18.163880110 CEST49737443192.168.2.434.117.186.192
                                                                                                                                                                            Apr 18, 2024 10:29:18.189075947 CEST49737443192.168.2.434.117.186.192
                                                                                                                                                                            Apr 18, 2024 10:29:18.189101934 CEST4434973734.117.186.192192.168.2.4
                                                                                                                                                                            Apr 18, 2024 10:29:18.420614004 CEST4434973734.117.186.192192.168.2.4
                                                                                                                                                                            Apr 18, 2024 10:29:18.420686960 CEST49737443192.168.2.434.117.186.192
                                                                                                                                                                            Apr 18, 2024 10:29:18.424762964 CEST49737443192.168.2.434.117.186.192
                                                                                                                                                                            Apr 18, 2024 10:29:18.424778938 CEST4434973734.117.186.192192.168.2.4
                                                                                                                                                                            Apr 18, 2024 10:29:18.425136089 CEST4434973734.117.186.192192.168.2.4
                                                                                                                                                                            Apr 18, 2024 10:29:18.636131048 CEST4434973734.117.186.192192.168.2.4
                                                                                                                                                                            Apr 18, 2024 10:29:18.636183023 CEST49737443192.168.2.434.117.186.192
                                                                                                                                                                            Apr 18, 2024 10:29:21.025114059 CEST49737443192.168.2.434.117.186.192
                                                                                                                                                                            Apr 18, 2024 10:29:21.072119951 CEST4434973734.117.186.192192.168.2.4
                                                                                                                                                                            Apr 18, 2024 10:29:21.156280041 CEST4434973734.117.186.192192.168.2.4
                                                                                                                                                                            Apr 18, 2024 10:29:21.156574965 CEST4434973734.117.186.192192.168.2.4
                                                                                                                                                                            Apr 18, 2024 10:29:21.156646967 CEST49737443192.168.2.434.117.186.192
                                                                                                                                                                            Apr 18, 2024 10:29:21.158799887 CEST49737443192.168.2.434.117.186.192
                                                                                                                                                                            Apr 18, 2024 10:29:21.158838034 CEST4434973734.117.186.192192.168.2.4
                                                                                                                                                                            Apr 18, 2024 10:29:21.158869982 CEST49737443192.168.2.434.117.186.192
                                                                                                                                                                            Apr 18, 2024 10:29:21.158885002 CEST4434973734.117.186.192192.168.2.4
                                                                                                                                                                            Apr 18, 2024 10:29:21.285820007 CEST49738443192.168.2.4104.26.4.15
                                                                                                                                                                            Apr 18, 2024 10:29:21.285903931 CEST44349738104.26.4.15192.168.2.4
                                                                                                                                                                            Apr 18, 2024 10:29:21.285984993 CEST49738443192.168.2.4104.26.4.15
                                                                                                                                                                            Apr 18, 2024 10:29:21.286267042 CEST49738443192.168.2.4104.26.4.15
                                                                                                                                                                            Apr 18, 2024 10:29:21.286298990 CEST44349738104.26.4.15192.168.2.4
                                                                                                                                                                            Apr 18, 2024 10:29:21.511044979 CEST44349738104.26.4.15192.168.2.4
                                                                                                                                                                            Apr 18, 2024 10:29:21.511133909 CEST49738443192.168.2.4104.26.4.15
                                                                                                                                                                            Apr 18, 2024 10:29:21.512711048 CEST49738443192.168.2.4104.26.4.15
                                                                                                                                                                            Apr 18, 2024 10:29:21.512738943 CEST44349738104.26.4.15192.168.2.4
                                                                                                                                                                            Apr 18, 2024 10:29:21.513150930 CEST44349738104.26.4.15192.168.2.4
                                                                                                                                                                            Apr 18, 2024 10:29:21.514337063 CEST49738443192.168.2.4104.26.4.15
                                                                                                                                                                            Apr 18, 2024 10:29:21.556123018 CEST44349738104.26.4.15192.168.2.4
                                                                                                                                                                            Apr 18, 2024 10:29:21.853869915 CEST44349738104.26.4.15192.168.2.4
                                                                                                                                                                            Apr 18, 2024 10:29:21.854103088 CEST44349738104.26.4.15192.168.2.4
                                                                                                                                                                            Apr 18, 2024 10:29:21.854295015 CEST49738443192.168.2.4104.26.4.15
                                                                                                                                                                            Apr 18, 2024 10:29:21.854489088 CEST49738443192.168.2.4104.26.4.15
                                                                                                                                                                            Apr 18, 2024 10:29:21.854531050 CEST44349738104.26.4.15192.168.2.4
                                                                                                                                                                            Apr 18, 2024 10:29:21.854568005 CEST49738443192.168.2.4104.26.4.15
                                                                                                                                                                            Apr 18, 2024 10:29:21.854583025 CEST44349738104.26.4.15192.168.2.4
                                                                                                                                                                            Apr 18, 2024 10:29:21.855237007 CEST4973058709192.168.2.4147.45.47.93
                                                                                                                                                                            Apr 18, 2024 10:29:22.120444059 CEST5870949730147.45.47.93192.168.2.4
                                                                                                                                                                            Apr 18, 2024 10:29:22.545696020 CEST5870949730147.45.47.93192.168.2.4
                                                                                                                                                                            Apr 18, 2024 10:29:22.763472080 CEST4973058709192.168.2.4147.45.47.93
                                                                                                                                                                            Apr 18, 2024 10:29:24.123312950 CEST4973058709192.168.2.4147.45.47.93
                                                                                                                                                                            Apr 18, 2024 10:29:24.362668991 CEST5870949730147.45.47.93192.168.2.4
                                                                                                                                                                            Apr 18, 2024 10:29:24.456940889 CEST4973058709192.168.2.4147.45.47.93
                                                                                                                                                                            Apr 18, 2024 10:29:24.457683086 CEST4973058709192.168.2.4147.45.47.93
                                                                                                                                                                            Apr 18, 2024 10:29:24.691339970 CEST5870949730147.45.47.93192.168.2.4
                                                                                                                                                                            Apr 18, 2024 10:29:24.691354990 CEST5870949730147.45.47.93192.168.2.4
                                                                                                                                                                            Apr 18, 2024 10:29:24.691366911 CEST5870949730147.45.47.93192.168.2.4
                                                                                                                                                                            Apr 18, 2024 10:29:24.691395998 CEST5870949730147.45.47.93192.168.2.4
                                                                                                                                                                            Apr 18, 2024 10:29:24.691435099 CEST4973058709192.168.2.4147.45.47.93
                                                                                                                                                                            Apr 18, 2024 10:29:24.691437960 CEST5870949730147.45.47.93192.168.2.4
                                                                                                                                                                            Apr 18, 2024 10:29:24.691452980 CEST5870949730147.45.47.93192.168.2.4
                                                                                                                                                                            Apr 18, 2024 10:29:24.691466093 CEST5870949730147.45.47.93192.168.2.4
                                                                                                                                                                            Apr 18, 2024 10:29:24.691469908 CEST4973058709192.168.2.4147.45.47.93
                                                                                                                                                                            Apr 18, 2024 10:29:24.691478968 CEST5870949730147.45.47.93192.168.2.4
                                                                                                                                                                            Apr 18, 2024 10:29:24.691492081 CEST4973058709192.168.2.4147.45.47.93
                                                                                                                                                                            Apr 18, 2024 10:29:24.691493034 CEST5870949730147.45.47.93192.168.2.4
                                                                                                                                                                            Apr 18, 2024 10:29:24.691507101 CEST5870949730147.45.47.93192.168.2.4
                                                                                                                                                                            Apr 18, 2024 10:29:24.691518068 CEST4973058709192.168.2.4147.45.47.93
                                                                                                                                                                            Apr 18, 2024 10:29:24.691545963 CEST4973058709192.168.2.4147.45.47.93
                                                                                                                                                                            Apr 18, 2024 10:29:24.916424990 CEST5870949730147.45.47.93192.168.2.4
                                                                                                                                                                            Apr 18, 2024 10:29:24.916441917 CEST5870949730147.45.47.93192.168.2.4
                                                                                                                                                                            Apr 18, 2024 10:29:24.916496992 CEST4973058709192.168.2.4147.45.47.93
                                                                                                                                                                            Apr 18, 2024 10:29:24.916562080 CEST5870949730147.45.47.93192.168.2.4
                                                                                                                                                                            Apr 18, 2024 10:29:24.916739941 CEST5870949730147.45.47.93192.168.2.4
                                                                                                                                                                            Apr 18, 2024 10:29:24.916754961 CEST5870949730147.45.47.93192.168.2.4
                                                                                                                                                                            Apr 18, 2024 10:29:24.916779995 CEST4973058709192.168.2.4147.45.47.93
                                                                                                                                                                            Apr 18, 2024 10:29:24.966640949 CEST4973058709192.168.2.4147.45.47.93
                                                                                                                                                                            Apr 18, 2024 10:29:25.024714947 CEST4973058709192.168.2.4147.45.47.93
                                                                                                                                                                            Apr 18, 2024 10:29:25.266612053 CEST5870949730147.45.47.93192.168.2.4
                                                                                                                                                                            Apr 18, 2024 10:29:25.341705084 CEST4973058709192.168.2.4147.45.47.93
                                                                                                                                                                            Apr 18, 2024 10:29:25.611929893 CEST5870949730147.45.47.93192.168.2.4
                                                                                                                                                                            Apr 18, 2024 10:29:25.855520010 CEST5870949730147.45.47.93192.168.2.4
                                                                                                                                                                            Apr 18, 2024 10:29:25.966687918 CEST4973058709192.168.2.4147.45.47.93
                                                                                                                                                                            Apr 18, 2024 10:29:31.085223913 CEST4973958709192.168.2.4147.45.47.93
                                                                                                                                                                            Apr 18, 2024 10:29:31.303626060 CEST5870949739147.45.47.93192.168.2.4
                                                                                                                                                                            Apr 18, 2024 10:29:31.303714991 CEST4973958709192.168.2.4147.45.47.93
                                                                                                                                                                            Apr 18, 2024 10:29:31.353421926 CEST4973958709192.168.2.4147.45.47.93
                                                                                                                                                                            Apr 18, 2024 10:29:31.522217035 CEST5870949739147.45.47.93192.168.2.4
                                                                                                                                                                            Apr 18, 2024 10:29:31.616297960 CEST5870949739147.45.47.93192.168.2.4
                                                                                                                                                                            Apr 18, 2024 10:29:31.638545036 CEST4973958709192.168.2.4147.45.47.93
                                                                                                                                                                            Apr 18, 2024 10:29:34.685494900 CEST4973958709192.168.2.4147.45.47.93
                                                                                                                                                                            Apr 18, 2024 10:29:34.948818922 CEST5870949739147.45.47.93192.168.2.4
                                                                                                                                                                            Apr 18, 2024 10:29:35.017563105 CEST5870949739147.45.47.93192.168.2.4
                                                                                                                                                                            Apr 18, 2024 10:29:35.138504982 CEST4973958709192.168.2.4147.45.47.93
                                                                                                                                                                            Apr 18, 2024 10:29:35.725924969 CEST5870949739147.45.47.93192.168.2.4
                                                                                                                                                                            Apr 18, 2024 10:29:35.826009989 CEST4973958709192.168.2.4147.45.47.93
                                                                                                                                                                            Apr 18, 2024 10:29:36.044375896 CEST5870949739147.45.47.93192.168.2.4
                                                                                                                                                                            Apr 18, 2024 10:29:36.138511896 CEST4973958709192.168.2.4147.45.47.93
                                                                                                                                                                            Apr 18, 2024 10:29:37.045346975 CEST4973958709192.168.2.4147.45.47.93
                                                                                                                                                                            Apr 18, 2024 10:29:37.306499958 CEST5870949739147.45.47.93192.168.2.4
                                                                                                                                                                            Apr 18, 2024 10:29:38.779297113 CEST4973058709192.168.2.4147.45.47.93
                                                                                                                                                                            Apr 18, 2024 10:29:39.053287983 CEST5870949730147.45.47.93192.168.2.4
                                                                                                                                                                            Apr 18, 2024 10:29:39.481781960 CEST5870949730147.45.47.93192.168.2.4
                                                                                                                                                                            Apr 18, 2024 10:29:39.597661018 CEST4974058709192.168.2.4147.45.47.93
                                                                                                                                                                            Apr 18, 2024 10:29:39.654237986 CEST4973058709192.168.2.4147.45.47.93
                                                                                                                                                                            Apr 18, 2024 10:29:39.816262960 CEST5870949740147.45.47.93192.168.2.4
                                                                                                                                                                            Apr 18, 2024 10:29:39.816462040 CEST4974058709192.168.2.4147.45.47.93
                                                                                                                                                                            Apr 18, 2024 10:29:39.837074995 CEST4974058709192.168.2.4147.45.47.93
                                                                                                                                                                            Apr 18, 2024 10:29:40.034897089 CEST5870949740147.45.47.93192.168.2.4
                                                                                                                                                                            Apr 18, 2024 10:29:40.104358912 CEST5870949740147.45.47.93192.168.2.4
                                                                                                                                                                            Apr 18, 2024 10:29:40.154145002 CEST4974058709192.168.2.4147.45.47.93
                                                                                                                                                                            Apr 18, 2024 10:29:40.372591972 CEST5870949740147.45.47.93192.168.2.4
                                                                                                                                                                            Apr 18, 2024 10:29:40.466644049 CEST4974058709192.168.2.4147.45.47.93
                                                                                                                                                                            Apr 18, 2024 10:29:40.513704062 CEST4974058709192.168.2.4147.45.47.93
                                                                                                                                                                            Apr 18, 2024 10:29:40.592116117 CEST49741443192.168.2.434.117.186.192
                                                                                                                                                                            Apr 18, 2024 10:29:40.592160940 CEST4434974134.117.186.192192.168.2.4
                                                                                                                                                                            Apr 18, 2024 10:29:40.592245102 CEST49741443192.168.2.434.117.186.192
                                                                                                                                                                            Apr 18, 2024 10:29:40.593318939 CEST49741443192.168.2.434.117.186.192
                                                                                                                                                                            Apr 18, 2024 10:29:40.593343019 CEST4434974134.117.186.192192.168.2.4
                                                                                                                                                                            Apr 18, 2024 10:29:40.776199102 CEST5870949740147.45.47.93192.168.2.4
                                                                                                                                                                            Apr 18, 2024 10:29:40.815577030 CEST4434974134.117.186.192192.168.2.4
                                                                                                                                                                            Apr 18, 2024 10:29:40.815634966 CEST49741443192.168.2.434.117.186.192
                                                                                                                                                                            Apr 18, 2024 10:29:40.817361116 CEST49741443192.168.2.434.117.186.192
                                                                                                                                                                            Apr 18, 2024 10:29:40.817369938 CEST4434974134.117.186.192192.168.2.4
                                                                                                                                                                            Apr 18, 2024 10:29:40.817692041 CEST4434974134.117.186.192192.168.2.4
                                                                                                                                                                            Apr 18, 2024 10:29:40.935385942 CEST49741443192.168.2.434.117.186.192
                                                                                                                                                                            Apr 18, 2024 10:29:42.510308981 CEST49741443192.168.2.434.117.186.192
                                                                                                                                                                            Apr 18, 2024 10:29:42.552118063 CEST4434974134.117.186.192192.168.2.4
                                                                                                                                                                            Apr 18, 2024 10:29:42.647994041 CEST4434974134.117.186.192192.168.2.4
                                                                                                                                                                            Apr 18, 2024 10:29:42.648113012 CEST4434974134.117.186.192192.168.2.4
                                                                                                                                                                            Apr 18, 2024 10:29:42.648359060 CEST49741443192.168.2.434.117.186.192
                                                                                                                                                                            Apr 18, 2024 10:29:42.648631096 CEST49741443192.168.2.434.117.186.192
                                                                                                                                                                            Apr 18, 2024 10:29:42.648652077 CEST4434974134.117.186.192192.168.2.4
                                                                                                                                                                            Apr 18, 2024 10:29:42.648669958 CEST49741443192.168.2.434.117.186.192
                                                                                                                                                                            Apr 18, 2024 10:29:42.648677111 CEST4434974134.117.186.192192.168.2.4
                                                                                                                                                                            Apr 18, 2024 10:29:42.652565956 CEST49742443192.168.2.4104.26.4.15
                                                                                                                                                                            Apr 18, 2024 10:29:42.652596951 CEST44349742104.26.4.15192.168.2.4
                                                                                                                                                                            Apr 18, 2024 10:29:42.652673006 CEST49742443192.168.2.4104.26.4.15
                                                                                                                                                                            Apr 18, 2024 10:29:42.652977943 CEST49742443192.168.2.4104.26.4.15
                                                                                                                                                                            Apr 18, 2024 10:29:42.652992964 CEST44349742104.26.4.15192.168.2.4
                                                                                                                                                                            Apr 18, 2024 10:29:42.868295908 CEST44349742104.26.4.15192.168.2.4
                                                                                                                                                                            Apr 18, 2024 10:29:42.868376970 CEST49742443192.168.2.4104.26.4.15
                                                                                                                                                                            Apr 18, 2024 10:29:42.869816065 CEST49742443192.168.2.4104.26.4.15
                                                                                                                                                                            Apr 18, 2024 10:29:42.869829893 CEST44349742104.26.4.15192.168.2.4
                                                                                                                                                                            Apr 18, 2024 10:29:42.870100975 CEST44349742104.26.4.15192.168.2.4
                                                                                                                                                                            Apr 18, 2024 10:29:42.871510983 CEST49742443192.168.2.4104.26.4.15
                                                                                                                                                                            Apr 18, 2024 10:29:42.916121006 CEST44349742104.26.4.15192.168.2.4
                                                                                                                                                                            Apr 18, 2024 10:29:43.217190981 CEST44349742104.26.4.15192.168.2.4
                                                                                                                                                                            Apr 18, 2024 10:29:43.217278957 CEST44349742104.26.4.15192.168.2.4
                                                                                                                                                                            Apr 18, 2024 10:29:43.217375040 CEST49742443192.168.2.4104.26.4.15
                                                                                                                                                                            Apr 18, 2024 10:29:43.511898041 CEST5870949730147.45.47.93192.168.2.4
                                                                                                                                                                            Apr 18, 2024 10:29:43.512176037 CEST4973058709192.168.2.4147.45.47.93
                                                                                                                                                                            Apr 18, 2024 10:29:43.696193933 CEST49742443192.168.2.4104.26.4.15
                                                                                                                                                                            Apr 18, 2024 10:29:43.696230888 CEST44349742104.26.4.15192.168.2.4
                                                                                                                                                                            Apr 18, 2024 10:29:43.698014975 CEST4973958709192.168.2.4147.45.47.93
                                                                                                                                                                            Apr 18, 2024 10:29:43.776177883 CEST5870949730147.45.47.93192.168.2.4
                                                                                                                                                                            Apr 18, 2024 10:29:43.964008093 CEST5870949739147.45.47.93192.168.2.4
                                                                                                                                                                            Apr 18, 2024 10:29:43.969062090 CEST5870949739147.45.47.93192.168.2.4
                                                                                                                                                                            Apr 18, 2024 10:29:43.982923985 CEST4973958709192.168.2.4147.45.47.93
                                                                                                                                                                            Apr 18, 2024 10:29:44.245280027 CEST5870949739147.45.47.93192.168.2.4
                                                                                                                                                                            Apr 18, 2024 10:29:44.922626019 CEST4974058709192.168.2.4147.45.47.93
                                                                                                                                                                            Apr 18, 2024 10:29:45.182862997 CEST5870949740147.45.47.93192.168.2.4
                                                                                                                                                                            Apr 18, 2024 10:29:45.437072039 CEST5870949739147.45.47.93192.168.2.4
                                                                                                                                                                            Apr 18, 2024 10:29:45.574596882 CEST5870949740147.45.47.93192.168.2.4
                                                                                                                                                                            Apr 18, 2024 10:29:45.638667107 CEST4973958709192.168.2.4147.45.47.93
                                                                                                                                                                            Apr 18, 2024 10:29:45.654268980 CEST4974058709192.168.2.4147.45.47.93
                                                                                                                                                                            Apr 18, 2024 10:29:46.078507900 CEST4973958709192.168.2.4147.45.47.93
                                                                                                                                                                            Apr 18, 2024 10:29:46.338785887 CEST5870949739147.45.47.93192.168.2.4
                                                                                                                                                                            Apr 18, 2024 10:29:46.361679077 CEST5870949739147.45.47.93192.168.2.4
                                                                                                                                                                            Apr 18, 2024 10:29:46.361830950 CEST5870949739147.45.47.93192.168.2.4
                                                                                                                                                                            Apr 18, 2024 10:29:46.361843109 CEST5870949739147.45.47.93192.168.2.4
                                                                                                                                                                            Apr 18, 2024 10:29:46.361854076 CEST5870949739147.45.47.93192.168.2.4
                                                                                                                                                                            Apr 18, 2024 10:29:46.361870050 CEST5870949739147.45.47.93192.168.2.4
                                                                                                                                                                            Apr 18, 2024 10:29:46.361876965 CEST4973958709192.168.2.4147.45.47.93
                                                                                                                                                                            Apr 18, 2024 10:29:46.361892939 CEST4973958709192.168.2.4147.45.47.93
                                                                                                                                                                            Apr 18, 2024 10:29:46.361898899 CEST5870949739147.45.47.93192.168.2.4
                                                                                                                                                                            Apr 18, 2024 10:29:46.361912966 CEST5870949739147.45.47.93192.168.2.4
                                                                                                                                                                            Apr 18, 2024 10:29:46.361927032 CEST5870949739147.45.47.93192.168.2.4
                                                                                                                                                                            Apr 18, 2024 10:29:46.361941099 CEST4973958709192.168.2.4147.45.47.93
                                                                                                                                                                            Apr 18, 2024 10:29:46.361952066 CEST5870949739147.45.47.93192.168.2.4
                                                                                                                                                                            Apr 18, 2024 10:29:46.361963987 CEST5870949739147.45.47.93192.168.2.4
                                                                                                                                                                            Apr 18, 2024 10:29:46.361974955 CEST4973958709192.168.2.4147.45.47.93
                                                                                                                                                                            Apr 18, 2024 10:29:46.362001896 CEST4973958709192.168.2.4147.45.47.93
                                                                                                                                                                            Apr 18, 2024 10:29:46.583328962 CEST5870949739147.45.47.93192.168.2.4
                                                                                                                                                                            Apr 18, 2024 10:29:46.583482027 CEST5870949739147.45.47.93192.168.2.4
                                                                                                                                                                            Apr 18, 2024 10:29:46.583494902 CEST5870949739147.45.47.93192.168.2.4
                                                                                                                                                                            Apr 18, 2024 10:29:46.583513021 CEST5870949739147.45.47.93192.168.2.4
                                                                                                                                                                            Apr 18, 2024 10:29:46.583528042 CEST5870949739147.45.47.93192.168.2.4
                                                                                                                                                                            Apr 18, 2024 10:29:46.583539963 CEST4973958709192.168.2.4147.45.47.93
                                                                                                                                                                            Apr 18, 2024 10:29:46.583587885 CEST4973958709192.168.2.4147.45.47.93
                                                                                                                                                                            Apr 18, 2024 10:29:46.622967958 CEST4973958709192.168.2.4147.45.47.93
                                                                                                                                                                            Apr 18, 2024 10:29:46.835642099 CEST49743443192.168.2.434.117.186.192
                                                                                                                                                                            Apr 18, 2024 10:29:46.835673094 CEST4434974334.117.186.192192.168.2.4
                                                                                                                                                                            Apr 18, 2024 10:29:46.835753918 CEST49743443192.168.2.434.117.186.192
                                                                                                                                                                            Apr 18, 2024 10:29:46.836954117 CEST49743443192.168.2.434.117.186.192
                                                                                                                                                                            Apr 18, 2024 10:29:46.836970091 CEST4434974334.117.186.192192.168.2.4
                                                                                                                                                                            Apr 18, 2024 10:29:46.875559092 CEST5870949739147.45.47.93192.168.2.4
                                                                                                                                                                            Apr 18, 2024 10:29:46.935440063 CEST4973958709192.168.2.4147.45.47.93
                                                                                                                                                                            Apr 18, 2024 10:29:46.951150894 CEST4973958709192.168.2.4147.45.47.93
                                                                                                                                                                            Apr 18, 2024 10:29:47.058921099 CEST4434974334.117.186.192192.168.2.4
                                                                                                                                                                            Apr 18, 2024 10:29:47.059017897 CEST49743443192.168.2.434.117.186.192
                                                                                                                                                                            Apr 18, 2024 10:29:47.060256958 CEST49743443192.168.2.434.117.186.192
                                                                                                                                                                            Apr 18, 2024 10:29:47.060264111 CEST4434974334.117.186.192192.168.2.4
                                                                                                                                                                            Apr 18, 2024 10:29:47.061342001 CEST4434974334.117.186.192192.168.2.4
                                                                                                                                                                            Apr 18, 2024 10:29:47.202055931 CEST5870949739147.45.47.93192.168.2.4
                                                                                                                                                                            Apr 18, 2024 10:29:47.263598919 CEST49743443192.168.2.434.117.186.192
                                                                                                                                                                            Apr 18, 2024 10:29:47.326046944 CEST4973958709192.168.2.4147.45.47.93
                                                                                                                                                                            Apr 18, 2024 10:29:47.865735054 CEST49743443192.168.2.434.117.186.192
                                                                                                                                                                            Apr 18, 2024 10:29:47.912130117 CEST4434974334.117.186.192192.168.2.4
                                                                                                                                                                            Apr 18, 2024 10:29:47.998555899 CEST4434974334.117.186.192192.168.2.4
                                                                                                                                                                            Apr 18, 2024 10:29:47.998893976 CEST4434974334.117.186.192192.168.2.4
                                                                                                                                                                            Apr 18, 2024 10:29:47.998976946 CEST49743443192.168.2.434.117.186.192
                                                                                                                                                                            Apr 18, 2024 10:29:47.999136925 CEST49743443192.168.2.434.117.186.192
                                                                                                                                                                            Apr 18, 2024 10:29:47.999161959 CEST4434974334.117.186.192192.168.2.4
                                                                                                                                                                            Apr 18, 2024 10:29:47.999181032 CEST49743443192.168.2.434.117.186.192
                                                                                                                                                                            Apr 18, 2024 10:29:47.999191046 CEST4434974334.117.186.192192.168.2.4
                                                                                                                                                                            Apr 18, 2024 10:29:48.007915020 CEST49744443192.168.2.4104.26.4.15
                                                                                                                                                                            Apr 18, 2024 10:29:48.007950068 CEST44349744104.26.4.15192.168.2.4
                                                                                                                                                                            Apr 18, 2024 10:29:48.008116961 CEST49744443192.168.2.4104.26.4.15
                                                                                                                                                                            Apr 18, 2024 10:29:48.008315086 CEST49744443192.168.2.4104.26.4.15
                                                                                                                                                                            Apr 18, 2024 10:29:48.008341074 CEST44349744104.26.4.15192.168.2.4
                                                                                                                                                                            Apr 18, 2024 10:29:48.231945038 CEST44349744104.26.4.15192.168.2.4
                                                                                                                                                                            Apr 18, 2024 10:29:48.232027054 CEST49744443192.168.2.4104.26.4.15
                                                                                                                                                                            Apr 18, 2024 10:29:48.809346914 CEST49744443192.168.2.4104.26.4.15
                                                                                                                                                                            Apr 18, 2024 10:29:48.809364080 CEST44349744104.26.4.15192.168.2.4
                                                                                                                                                                            Apr 18, 2024 10:29:48.809773922 CEST44349744104.26.4.15192.168.2.4
                                                                                                                                                                            Apr 18, 2024 10:29:48.811939955 CEST49744443192.168.2.4104.26.4.15
                                                                                                                                                                            Apr 18, 2024 10:29:48.852121115 CEST44349744104.26.4.15192.168.2.4
                                                                                                                                                                            Apr 18, 2024 10:29:49.016307116 CEST44349744104.26.4.15192.168.2.4
                                                                                                                                                                            Apr 18, 2024 10:29:49.016396999 CEST44349744104.26.4.15192.168.2.4
                                                                                                                                                                            Apr 18, 2024 10:29:49.016539097 CEST49744443192.168.2.4104.26.4.15
                                                                                                                                                                            Apr 18, 2024 10:29:49.016690016 CEST49744443192.168.2.4104.26.4.15
                                                                                                                                                                            Apr 18, 2024 10:29:49.016707897 CEST44349744104.26.4.15192.168.2.4
                                                                                                                                                                            Apr 18, 2024 10:29:49.016733885 CEST49744443192.168.2.4104.26.4.15
                                                                                                                                                                            Apr 18, 2024 10:29:49.016755104 CEST44349744104.26.4.15192.168.2.4
                                                                                                                                                                            Apr 18, 2024 10:29:49.017139912 CEST4974058709192.168.2.4147.45.47.93
                                                                                                                                                                            Apr 18, 2024 10:29:49.276429892 CEST5870949740147.45.47.93192.168.2.4
                                                                                                                                                                            Apr 18, 2024 10:29:52.810661077 CEST4973058709192.168.2.4147.45.47.93
                                                                                                                                                                            Apr 18, 2024 10:29:52.810755014 CEST4973058709192.168.2.4147.45.47.93
                                                                                                                                                                            Apr 18, 2024 10:29:53.032233000 CEST5870949730147.45.47.93192.168.2.4
                                                                                                                                                                            Apr 18, 2024 10:29:53.032280922 CEST4973058709192.168.2.4147.45.47.93
                                                                                                                                                                            Apr 18, 2024 10:29:53.307497025 CEST5870949730147.45.47.93192.168.2.4
                                                                                                                                                                            Apr 18, 2024 10:29:55.841995955 CEST4973058709192.168.2.4147.45.47.93
                                                                                                                                                                            Apr 18, 2024 10:29:56.063532114 CEST5870949730147.45.47.93192.168.2.4
                                                                                                                                                                            Apr 18, 2024 10:30:00.780034065 CEST5870949740147.45.47.93192.168.2.4
                                                                                                                                                                            Apr 18, 2024 10:30:00.810933113 CEST4974058709192.168.2.4147.45.47.93
                                                                                                                                                                            Apr 18, 2024 10:30:01.073508024 CEST5870949740147.45.47.93192.168.2.4
                                                                                                                                                                            Apr 18, 2024 10:30:01.188863993 CEST4973958709192.168.2.4147.45.47.93
                                                                                                                                                                            Apr 18, 2024 10:30:01.188863993 CEST4973958709192.168.2.4147.45.47.93
                                                                                                                                                                            Apr 18, 2024 10:30:01.407455921 CEST5870949739147.45.47.93192.168.2.4
                                                                                                                                                                            Apr 18, 2024 10:30:01.407475948 CEST5870949739147.45.47.93192.168.2.4
                                                                                                                                                                            Apr 18, 2024 10:30:01.407584906 CEST4973958709192.168.2.4147.45.47.93
                                                                                                                                                                            Apr 18, 2024 10:30:01.667211056 CEST5870949739147.45.47.93192.168.2.4
                                                                                                                                                                            Apr 18, 2024 10:30:04.701296091 CEST4973958709192.168.2.4147.45.47.93
                                                                                                                                                                            Apr 18, 2024 10:30:04.717041016 CEST4973958709192.168.2.4147.45.47.93
                                                                                                                                                                            Apr 18, 2024 10:30:04.936168909 CEST5870949739147.45.47.93192.168.2.4
                                                                                                                                                                            Apr 18, 2024 10:30:07.146893024 CEST4974658709192.168.2.4147.45.47.93
                                                                                                                                                                            Apr 18, 2024 10:30:07.368458986 CEST5870949746147.45.47.93192.168.2.4
                                                                                                                                                                            Apr 18, 2024 10:30:07.368554115 CEST4974658709192.168.2.4147.45.47.93
                                                                                                                                                                            Apr 18, 2024 10:30:07.380073071 CEST4974658709192.168.2.4147.45.47.93
                                                                                                                                                                            Apr 18, 2024 10:30:07.590056896 CEST5870949746147.45.47.93192.168.2.4
                                                                                                                                                                            Apr 18, 2024 10:30:07.651559114 CEST5870949746147.45.47.93192.168.2.4
                                                                                                                                                                            Apr 18, 2024 10:30:07.732347012 CEST4974658709192.168.2.4147.45.47.93
                                                                                                                                                                            Apr 18, 2024 10:30:09.051378965 CEST4974758709192.168.2.4147.45.47.93
                                                                                                                                                                            Apr 18, 2024 10:30:09.270797968 CEST5870949747147.45.47.93192.168.2.4
                                                                                                                                                                            Apr 18, 2024 10:30:09.270912886 CEST4974758709192.168.2.4147.45.47.93
                                                                                                                                                                            Apr 18, 2024 10:30:09.280766964 CEST5870949740147.45.47.93192.168.2.4
                                                                                                                                                                            Apr 18, 2024 10:30:09.288727045 CEST4974758709192.168.2.4147.45.47.93
                                                                                                                                                                            Apr 18, 2024 10:30:09.326086998 CEST4974058709192.168.2.4147.45.47.93
                                                                                                                                                                            Apr 18, 2024 10:30:09.374373913 CEST4974058709192.168.2.4147.45.47.93
                                                                                                                                                                            Apr 18, 2024 10:30:09.489545107 CEST5870949747147.45.47.93192.168.2.4
                                                                                                                                                                            Apr 18, 2024 10:30:09.544930935 CEST4974758709192.168.2.4147.45.47.93
                                                                                                                                                                            Apr 18, 2024 10:30:09.557600975 CEST5870949747147.45.47.93192.168.2.4
                                                                                                                                                                            Apr 18, 2024 10:30:09.636127949 CEST5870949740147.45.47.93192.168.2.4
                                                                                                                                                                            Apr 18, 2024 10:30:10.386878014 CEST5870949730147.45.47.93192.168.2.4
                                                                                                                                                                            Apr 18, 2024 10:30:10.387119055 CEST4973058709192.168.2.4147.45.47.93
                                                                                                                                                                            Apr 18, 2024 10:30:10.701508045 CEST4974658709192.168.2.4147.45.47.93
                                                                                                                                                                            Apr 18, 2024 10:30:10.924354076 CEST5870949740147.45.47.93192.168.2.4
                                                                                                                                                                            Apr 18, 2024 10:30:10.924376965 CEST5870949740147.45.47.93192.168.2.4
                                                                                                                                                                            Apr 18, 2024 10:30:10.924388885 CEST5870949740147.45.47.93192.168.2.4
                                                                                                                                                                            Apr 18, 2024 10:30:10.924401999 CEST5870949740147.45.47.93192.168.2.4
                                                                                                                                                                            Apr 18, 2024 10:30:10.924415112 CEST5870949740147.45.47.93192.168.2.4
                                                                                                                                                                            Apr 18, 2024 10:30:10.924428940 CEST5870949740147.45.47.93192.168.2.4
                                                                                                                                                                            Apr 18, 2024 10:30:10.924448967 CEST5870949740147.45.47.93192.168.2.4
                                                                                                                                                                            Apr 18, 2024 10:30:10.924467087 CEST5870949740147.45.47.93192.168.2.4
                                                                                                                                                                            Apr 18, 2024 10:30:10.924480915 CEST5870949740147.45.47.93192.168.2.4
                                                                                                                                                                            Apr 18, 2024 10:30:10.924496889 CEST5870949740147.45.47.93192.168.2.4
                                                                                                                                                                            Apr 18, 2024 10:30:10.924617052 CEST4974058709192.168.2.4147.45.47.93
                                                                                                                                                                            Apr 18, 2024 10:30:10.924736977 CEST4974058709192.168.2.4147.45.47.93
                                                                                                                                                                            Apr 18, 2024 10:30:10.963987112 CEST5870949746147.45.47.93192.168.2.4
                                                                                                                                                                            Apr 18, 2024 10:30:11.143111944 CEST5870949740147.45.47.93192.168.2.4
                                                                                                                                                                            Apr 18, 2024 10:30:11.143138885 CEST5870949740147.45.47.93192.168.2.4
                                                                                                                                                                            Apr 18, 2024 10:30:11.143153906 CEST5870949740147.45.47.93192.168.2.4
                                                                                                                                                                            Apr 18, 2024 10:30:11.143167973 CEST5870949740147.45.47.93192.168.2.4
                                                                                                                                                                            Apr 18, 2024 10:30:11.143183947 CEST5870949740147.45.47.93192.168.2.4
                                                                                                                                                                            Apr 18, 2024 10:30:11.143268108 CEST4974058709192.168.2.4147.45.47.93
                                                                                                                                                                            Apr 18, 2024 10:30:11.143435955 CEST4974058709192.168.2.4147.45.47.93
                                                                                                                                                                            Apr 18, 2024 10:30:11.232422113 CEST4974058709192.168.2.4147.45.47.93
                                                                                                                                                                            Apr 18, 2024 10:30:11.303364038 CEST5870949746147.45.47.93192.168.2.4
                                                                                                                                                                            Apr 18, 2024 10:30:11.349241972 CEST5870949747147.45.47.93192.168.2.4
                                                                                                                                                                            Apr 18, 2024 10:30:11.357372999 CEST4974658709192.168.2.4147.45.47.93
                                                                                                                                                                            Apr 18, 2024 10:30:11.404236078 CEST4974758709192.168.2.4147.45.47.93
                                                                                                                                                                            Apr 18, 2024 10:30:11.495465994 CEST5870949740147.45.47.93192.168.2.4
                                                                                                                                                                            Apr 18, 2024 10:30:11.578830004 CEST5870949746147.45.47.93192.168.2.4
                                                                                                                                                                            Apr 18, 2024 10:30:11.622680902 CEST5870949747147.45.47.93192.168.2.4
                                                                                                                                                                            Apr 18, 2024 10:30:11.623008013 CEST4974658709192.168.2.4147.45.47.93
                                                                                                                                                                            Apr 18, 2024 10:30:11.669858932 CEST4974758709192.168.2.4147.45.47.93
                                                                                                                                                                            Apr 18, 2024 10:30:12.014692068 CEST5870949740147.45.47.93192.168.2.4
                                                                                                                                                                            Apr 18, 2024 10:30:12.060693979 CEST4974058709192.168.2.4147.45.47.93
                                                                                                                                                                            Apr 18, 2024 10:30:12.107537985 CEST4974058709192.168.2.4147.45.47.93
                                                                                                                                                                            Apr 18, 2024 10:30:12.199933052 CEST5870949746147.45.47.93192.168.2.4
                                                                                                                                                                            Apr 18, 2024 10:30:12.229641914 CEST5870949747147.45.47.93192.168.2.4
                                                                                                                                                                            Apr 18, 2024 10:30:12.248013973 CEST4974658709192.168.2.4147.45.47.93
                                                                                                                                                                            Apr 18, 2024 10:30:12.279331923 CEST4974758709192.168.2.4147.45.47.93
                                                                                                                                                                            Apr 18, 2024 10:30:12.308712006 CEST5870949739147.45.47.93192.168.2.4
                                                                                                                                                                            Apr 18, 2024 10:30:12.308842897 CEST4973958709192.168.2.4147.45.47.93
                                                                                                                                                                            Apr 18, 2024 10:30:12.370112896 CEST5870949740147.45.47.93192.168.2.4
                                                                                                                                                                            Apr 18, 2024 10:30:12.437618971 CEST5870949740147.45.47.93192.168.2.4
                                                                                                                                                                            Apr 18, 2024 10:30:12.482331991 CEST4974058709192.168.2.4147.45.47.93
                                                                                                                                                                            Apr 18, 2024 10:30:12.511204004 CEST4974758709192.168.2.4147.45.47.93
                                                                                                                                                                            Apr 18, 2024 10:30:12.668227911 CEST5870949746147.45.47.93192.168.2.4
                                                                                                                                                                            Apr 18, 2024 10:30:12.716711044 CEST4974658709192.168.2.4147.45.47.93
                                                                                                                                                                            Apr 18, 2024 10:30:12.776336908 CEST5870949747147.45.47.93192.168.2.4
                                                                                                                                                                            Apr 18, 2024 10:30:12.933665037 CEST5870949740147.45.47.93192.168.2.4
                                                                                                                                                                            Apr 18, 2024 10:30:12.982350111 CEST4974058709192.168.2.4147.45.47.93
                                                                                                                                                                            Apr 18, 2024 10:30:13.184067965 CEST4974658709192.168.2.4147.45.47.93
                                                                                                                                                                            Apr 18, 2024 10:30:13.448396921 CEST5870949746147.45.47.93192.168.2.4
                                                                                                                                                                            Apr 18, 2024 10:30:13.509038925 CEST4974058709192.168.2.4147.45.47.93
                                                                                                                                                                            Apr 18, 2024 10:30:13.733345985 CEST49748443192.168.2.434.117.186.192
                                                                                                                                                                            Apr 18, 2024 10:30:13.733401060 CEST4434974834.117.186.192192.168.2.4
                                                                                                                                                                            Apr 18, 2024 10:30:13.733463049 CEST49748443192.168.2.434.117.186.192
                                                                                                                                                                            Apr 18, 2024 10:30:13.734801054 CEST49748443192.168.2.434.117.186.192
                                                                                                                                                                            Apr 18, 2024 10:30:13.734816074 CEST4434974834.117.186.192192.168.2.4
                                                                                                                                                                            Apr 18, 2024 10:30:13.745253086 CEST49749443192.168.2.434.117.186.192
                                                                                                                                                                            Apr 18, 2024 10:30:13.745282888 CEST4434974934.117.186.192192.168.2.4
                                                                                                                                                                            Apr 18, 2024 10:30:13.745342016 CEST49749443192.168.2.434.117.186.192
                                                                                                                                                                            Apr 18, 2024 10:30:13.746412992 CEST49749443192.168.2.434.117.186.192
                                                                                                                                                                            Apr 18, 2024 10:30:13.746428967 CEST4434974934.117.186.192192.168.2.4
                                                                                                                                                                            Apr 18, 2024 10:30:13.776545048 CEST5870949740147.45.47.93192.168.2.4
                                                                                                                                                                            Apr 18, 2024 10:30:13.956914902 CEST4434974834.117.186.192192.168.2.4
                                                                                                                                                                            Apr 18, 2024 10:30:13.956990004 CEST49748443192.168.2.434.117.186.192
                                                                                                                                                                            Apr 18, 2024 10:30:13.958483934 CEST49748443192.168.2.434.117.186.192
                                                                                                                                                                            Apr 18, 2024 10:30:13.958498955 CEST4434974834.117.186.192192.168.2.4
                                                                                                                                                                            Apr 18, 2024 10:30:13.958811998 CEST4434974834.117.186.192192.168.2.4
                                                                                                                                                                            Apr 18, 2024 10:30:13.969749928 CEST4434974934.117.186.192192.168.2.4
                                                                                                                                                                            Apr 18, 2024 10:30:13.969839096 CEST49749443192.168.2.434.117.186.192
                                                                                                                                                                            Apr 18, 2024 10:30:13.971666098 CEST49749443192.168.2.434.117.186.192
                                                                                                                                                                            Apr 18, 2024 10:30:13.971674919 CEST4434974934.117.186.192192.168.2.4
                                                                                                                                                                            Apr 18, 2024 10:30:13.972491026 CEST4434974934.117.186.192192.168.2.4
                                                                                                                                                                            Apr 18, 2024 10:30:14.013580084 CEST49748443192.168.2.434.117.186.192
                                                                                                                                                                            Apr 18, 2024 10:30:14.014370918 CEST49749443192.168.2.434.117.186.192
                                                                                                                                                                            Apr 18, 2024 10:30:15.437793970 CEST49748443192.168.2.434.117.186.192
                                                                                                                                                                            Apr 18, 2024 10:30:15.475986958 CEST49749443192.168.2.434.117.186.192
                                                                                                                                                                            Apr 18, 2024 10:30:15.480123997 CEST4434974834.117.186.192192.168.2.4
                                                                                                                                                                            Apr 18, 2024 10:30:15.516130924 CEST4434974934.117.186.192192.168.2.4
                                                                                                                                                                            Apr 18, 2024 10:30:15.571181059 CEST4434974834.117.186.192192.168.2.4
                                                                                                                                                                            Apr 18, 2024 10:30:15.571522951 CEST4434974834.117.186.192192.168.2.4
                                                                                                                                                                            Apr 18, 2024 10:30:15.571583033 CEST49748443192.168.2.434.117.186.192
                                                                                                                                                                            Apr 18, 2024 10:30:15.571737051 CEST49748443192.168.2.434.117.186.192
                                                                                                                                                                            Apr 18, 2024 10:30:15.571758032 CEST4434974834.117.186.192192.168.2.4
                                                                                                                                                                            Apr 18, 2024 10:30:15.571774006 CEST49748443192.168.2.434.117.186.192
                                                                                                                                                                            Apr 18, 2024 10:30:15.571779966 CEST4434974834.117.186.192192.168.2.4
                                                                                                                                                                            Apr 18, 2024 10:30:15.573734045 CEST49750443192.168.2.4104.26.4.15
                                                                                                                                                                            Apr 18, 2024 10:30:15.573765993 CEST44349750104.26.4.15192.168.2.4
                                                                                                                                                                            Apr 18, 2024 10:30:15.573954105 CEST49750443192.168.2.4104.26.4.15
                                                                                                                                                                            Apr 18, 2024 10:30:15.574409962 CEST49750443192.168.2.4104.26.4.15
                                                                                                                                                                            Apr 18, 2024 10:30:15.574425936 CEST44349750104.26.4.15192.168.2.4
                                                                                                                                                                            Apr 18, 2024 10:30:15.609733105 CEST4434974934.117.186.192192.168.2.4
                                                                                                                                                                            Apr 18, 2024 10:30:15.609864950 CEST4434974934.117.186.192192.168.2.4
                                                                                                                                                                            Apr 18, 2024 10:30:15.609925985 CEST49749443192.168.2.434.117.186.192
                                                                                                                                                                            Apr 18, 2024 10:30:15.610260963 CEST49749443192.168.2.434.117.186.192
                                                                                                                                                                            Apr 18, 2024 10:30:15.610282898 CEST4434974934.117.186.192192.168.2.4
                                                                                                                                                                            Apr 18, 2024 10:30:15.610306978 CEST49749443192.168.2.434.117.186.192
                                                                                                                                                                            Apr 18, 2024 10:30:15.610313892 CEST4434974934.117.186.192192.168.2.4
                                                                                                                                                                            Apr 18, 2024 10:30:15.615479946 CEST49751443192.168.2.4104.26.4.15
                                                                                                                                                                            Apr 18, 2024 10:30:15.615519047 CEST44349751104.26.4.15192.168.2.4
                                                                                                                                                                            Apr 18, 2024 10:30:15.615820885 CEST49751443192.168.2.4104.26.4.15
                                                                                                                                                                            Apr 18, 2024 10:30:15.616163015 CEST49751443192.168.2.4104.26.4.15
                                                                                                                                                                            Apr 18, 2024 10:30:15.616182089 CEST44349751104.26.4.15192.168.2.4
                                                                                                                                                                            Apr 18, 2024 10:30:15.638714075 CEST4974758709192.168.2.4147.45.47.93
                                                                                                                                                                            Apr 18, 2024 10:30:15.797445059 CEST44349750104.26.4.15192.168.2.4
                                                                                                                                                                            Apr 18, 2024 10:30:15.797516108 CEST49750443192.168.2.4104.26.4.15
                                                                                                                                                                            Apr 18, 2024 10:30:15.836080074 CEST44349751104.26.4.15192.168.2.4
                                                                                                                                                                            Apr 18, 2024 10:30:15.836148024 CEST49751443192.168.2.4104.26.4.15
                                                                                                                                                                            Apr 18, 2024 10:30:15.901771069 CEST5870949747147.45.47.93192.168.2.4
                                                                                                                                                                            Apr 18, 2024 10:30:16.264626026 CEST49750443192.168.2.4104.26.4.15
                                                                                                                                                                            Apr 18, 2024 10:30:16.264657974 CEST44349750104.26.4.15192.168.2.4
                                                                                                                                                                            Apr 18, 2024 10:30:16.265786886 CEST44349750104.26.4.15192.168.2.4
                                                                                                                                                                            Apr 18, 2024 10:30:16.267456055 CEST49750443192.168.2.4104.26.4.15
                                                                                                                                                                            Apr 18, 2024 10:30:16.279737949 CEST49751443192.168.2.4104.26.4.15
                                                                                                                                                                            Apr 18, 2024 10:30:16.279781103 CEST44349751104.26.4.15192.168.2.4
                                                                                                                                                                            Apr 18, 2024 10:30:16.280149937 CEST44349751104.26.4.15192.168.2.4
                                                                                                                                                                            Apr 18, 2024 10:30:16.281611919 CEST49751443192.168.2.4104.26.4.15
                                                                                                                                                                            Apr 18, 2024 10:30:16.312124014 CEST44349750104.26.4.15192.168.2.4
                                                                                                                                                                            Apr 18, 2024 10:30:16.324117899 CEST44349751104.26.4.15192.168.2.4
                                                                                                                                                                            Apr 18, 2024 10:30:16.441598892 CEST44349750104.26.4.15192.168.2.4
                                                                                                                                                                            Apr 18, 2024 10:30:16.441844940 CEST44349750104.26.4.15192.168.2.4
                                                                                                                                                                            Apr 18, 2024 10:30:16.441906929 CEST49750443192.168.2.4104.26.4.15
                                                                                                                                                                            Apr 18, 2024 10:30:16.441977978 CEST49750443192.168.2.4104.26.4.15
                                                                                                                                                                            Apr 18, 2024 10:30:16.441993952 CEST44349750104.26.4.15192.168.2.4
                                                                                                                                                                            Apr 18, 2024 10:30:16.442012072 CEST49750443192.168.2.4104.26.4.15
                                                                                                                                                                            Apr 18, 2024 10:30:16.442017078 CEST44349750104.26.4.15192.168.2.4
                                                                                                                                                                            Apr 18, 2024 10:30:16.442481995 CEST4974658709192.168.2.4147.45.47.93
                                                                                                                                                                            Apr 18, 2024 10:30:16.457328081 CEST44349751104.26.4.15192.168.2.4
                                                                                                                                                                            Apr 18, 2024 10:30:16.457427979 CEST44349751104.26.4.15192.168.2.4
                                                                                                                                                                            Apr 18, 2024 10:30:16.457791090 CEST49751443192.168.2.4104.26.4.15
                                                                                                                                                                            Apr 18, 2024 10:30:16.457837105 CEST49751443192.168.2.4104.26.4.15
                                                                                                                                                                            Apr 18, 2024 10:30:16.457851887 CEST44349751104.26.4.15192.168.2.4
                                                                                                                                                                            Apr 18, 2024 10:30:16.457869053 CEST49751443192.168.2.4104.26.4.15
                                                                                                                                                                            Apr 18, 2024 10:30:16.457874060 CEST44349751104.26.4.15192.168.2.4
                                                                                                                                                                            Apr 18, 2024 10:30:16.458205938 CEST4974758709192.168.2.4147.45.47.93
                                                                                                                                                                            Apr 18, 2024 10:30:16.680979967 CEST4974058709192.168.2.4147.45.47.93
                                                                                                                                                                            Apr 18, 2024 10:30:16.714173079 CEST5870949746147.45.47.93192.168.2.4
                                                                                                                                                                            Apr 18, 2024 10:30:16.729604006 CEST5870949747147.45.47.93192.168.2.4
                                                                                                                                                                            Apr 18, 2024 10:30:16.948194981 CEST5870949740147.45.47.93192.168.2.4
                                                                                                                                                                            Apr 18, 2024 10:30:17.653800964 CEST5870949747147.45.47.93192.168.2.4
                                                                                                                                                                            Apr 18, 2024 10:30:17.779259920 CEST4974758709192.168.2.4147.45.47.93
                                                                                                                                                                            Apr 18, 2024 10:30:19.919013977 CEST5870949740147.45.47.93192.168.2.4
                                                                                                                                                                            Apr 18, 2024 10:30:20.091759920 CEST4974058709192.168.2.4147.45.47.93
                                                                                                                                                                            Apr 18, 2024 10:30:20.291917086 CEST5870949740147.45.47.93192.168.2.4
                                                                                                                                                                            Apr 18, 2024 10:30:20.292560101 CEST4974058709192.168.2.4147.45.47.93
                                                                                                                                                                            Apr 18, 2024 10:30:20.798018932 CEST5870949746147.45.47.93192.168.2.4
                                                                                                                                                                            Apr 18, 2024 10:30:20.842061043 CEST5870949747147.45.47.93192.168.2.4
                                                                                                                                                                            Apr 18, 2024 10:30:20.888710976 CEST4974758709192.168.2.4147.45.47.93
                                                                                                                                                                            Apr 18, 2024 10:30:21.013632059 CEST4974658709192.168.2.4147.45.47.93
                                                                                                                                                                            Apr 18, 2024 10:30:21.243944883 CEST4974658709192.168.2.4147.45.47.93
                                                                                                                                                                            Apr 18, 2024 10:30:21.358130932 CEST4974758709192.168.2.4147.45.47.93
                                                                                                                                                                            Apr 18, 2024 10:30:21.510782957 CEST5870949746147.45.47.93192.168.2.4
                                                                                                                                                                            Apr 18, 2024 10:30:21.620575905 CEST5870949747147.45.47.93192.168.2.4
                                                                                                                                                                            Apr 18, 2024 10:30:22.561589003 CEST5870949746147.45.47.93192.168.2.4
                                                                                                                                                                            Apr 18, 2024 10:30:22.608364105 CEST5870949747147.45.47.93192.168.2.4
                                                                                                                                                                            Apr 18, 2024 10:30:22.701132059 CEST4974658709192.168.2.4147.45.47.93
                                                                                                                                                                            Apr 18, 2024 10:30:22.779223919 CEST4974758709192.168.2.4147.45.47.93
                                                                                                                                                                            Apr 18, 2024 10:30:25.685532093 CEST4974658709192.168.2.4147.45.47.93
                                                                                                                                                                            Apr 18, 2024 10:30:25.685580015 CEST4974758709192.168.2.4147.45.47.93
                                                                                                                                                                            Apr 18, 2024 10:30:25.904118061 CEST5870949747147.45.47.93192.168.2.4
                                                                                                                                                                            Apr 18, 2024 10:30:25.907056093 CEST5870949746147.45.47.93192.168.2.4
                                                                                                                                                                            Apr 18, 2024 10:30:25.981169939 CEST5870949747147.45.47.93192.168.2.4
                                                                                                                                                                            Apr 18, 2024 10:30:25.981197119 CEST5870949746147.45.47.93192.168.2.4
                                                                                                                                                                            Apr 18, 2024 10:30:25.981261969 CEST4974758709192.168.2.4147.45.47.93
                                                                                                                                                                            Apr 18, 2024 10:30:25.981307983 CEST4974658709192.168.2.4147.45.47.93
                                                                                                                                                                            Apr 18, 2024 10:30:27.420825958 CEST4974058709192.168.2.4147.45.47.93
                                                                                                                                                                            Apr 18, 2024 10:30:27.420941114 CEST4974058709192.168.2.4147.45.47.93
                                                                                                                                                                            Apr 18, 2024 10:30:27.639645100 CEST5870949740147.45.47.93192.168.2.4
                                                                                                                                                                            Apr 18, 2024 10:30:27.639700890 CEST5870949740147.45.47.93192.168.2.4
                                                                                                                                                                            Apr 18, 2024 10:30:27.639735937 CEST4974058709192.168.2.4147.45.47.93
                                                                                                                                                                            Apr 18, 2024 10:30:27.639739990 CEST5870949740147.45.47.93192.168.2.4
                                                                                                                                                                            Apr 18, 2024 10:30:27.901642084 CEST5870949740147.45.47.93192.168.2.4
                                                                                                                                                                            Apr 18, 2024 10:30:30.483279943 CEST4974058709192.168.2.4147.45.47.93
                                                                                                                                                                            Apr 18, 2024 10:30:30.701900005 CEST5870949740147.45.47.93192.168.2.4
                                                                                                                                                                            Apr 18, 2024 10:30:31.121978045 CEST5870949740147.45.47.93192.168.2.4
                                                                                                                                                                            Apr 18, 2024 10:30:31.122035027 CEST4974058709192.168.2.4147.45.47.93

                                                                                                                                                                            UDP Packets

                                                                                                                                                                            TimestampSource PortDest PortSource IPDest IP
                                                                                                                                                                            Apr 18, 2024 10:29:18.041536093 CEST5543753192.168.2.41.1.1.1
                                                                                                                                                                            Apr 18, 2024 10:29:18.146187067 CEST53554371.1.1.1192.168.2.4
                                                                                                                                                                            Apr 18, 2024 10:29:21.180342913 CEST5074853192.168.2.41.1.1.1
                                                                                                                                                                            Apr 18, 2024 10:29:21.285166025 CEST53507481.1.1.1192.168.2.4
                                                                                                                                                                            Apr 18, 2024 10:30:13.201637030 CEST5455353192.168.2.41.1.1.1
                                                                                                                                                                            Apr 18, 2024 10:30:13.306106091 CEST53545531.1.1.1192.168.2.4

                                                                                                                                                                            DNS Queries

                                                                                                                                                                            TimestampSource IPDest IPTrans IDOP CodeNameTypeClassDNS over HTTPS
                                                                                                                                                                            Apr 18, 2024 10:29:18.041536093 CEST192.168.2.41.1.1.10x39b7Standard query (0)ipinfo.ioA (IP address)IN (0x0001)false
                                                                                                                                                                            Apr 18, 2024 10:29:21.180342913 CEST192.168.2.41.1.1.10x295fStandard query (0)db-ip.comA (IP address)IN (0x0001)false
                                                                                                                                                                            Apr 18, 2024 10:30:13.201637030 CEST192.168.2.41.1.1.10x86e2Standard query (0)ipinfo.ioA (IP address)IN (0x0001)false

                                                                                                                                                                            DNS Answers

                                                                                                                                                                            TimestampSource IPDest IPTrans IDReply CodeNameCNameAddressTypeClassDNS over HTTPS
                                                                                                                                                                            Apr 18, 2024 10:29:18.146187067 CEST1.1.1.1192.168.2.40x39b7No error (0)ipinfo.io34.117.186.192A (IP address)IN (0x0001)false
                                                                                                                                                                            Apr 18, 2024 10:29:21.285166025 CEST1.1.1.1192.168.2.40x295fNo error (0)db-ip.com104.26.4.15A (IP address)IN (0x0001)false
                                                                                                                                                                            Apr 18, 2024 10:29:21.285166025 CEST1.1.1.1192.168.2.40x295fNo error (0)db-ip.com104.26.5.15A (IP address)IN (0x0001)false
                                                                                                                                                                            Apr 18, 2024 10:29:21.285166025 CEST1.1.1.1192.168.2.40x295fNo error (0)db-ip.com172.67.75.166A (IP address)IN (0x0001)false
                                                                                                                                                                            Apr 18, 2024 10:30:13.306106091 CEST1.1.1.1192.168.2.40x86e2No error (0)ipinfo.io34.117.186.192A (IP address)IN (0x0001)false

                                                                                                                                                                            HTTP Request Dependency Graph

                                                                                                                                                                            • https:
                                                                                                                                                                              • ipinfo.io
                                                                                                                                                                            • db-ip.com

                                                                                                                                                                            HTTPS Proxied Packets

                                                                                                                                                                            Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                                                                                                                                                            0192.168.2.44973734.117.186.1924437328C:\Users\user\Desktop\file.exe
                                                                                                                                                                            TimestampBytes transferredDirectionData
                                                                                                                                                                            2024-04-18 08:29:21 UTC237OUTGET /widget/demo/81.181.57.52 HTTP/1.1
                                                                                                                                                                            Connection: Keep-Alive
                                                                                                                                                                            Referer: https://ipinfo.io/
                                                                                                                                                                            User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/119.0.0.0 Safari/537.36
                                                                                                                                                                            Host: ipinfo.io
                                                                                                                                                                            2024-04-18 08:29:21 UTC513INHTTP/1.1 200 OK
                                                                                                                                                                            server: nginx/1.24.0
                                                                                                                                                                            date: Thu, 18 Apr 2024 08:29:21 GMT
                                                                                                                                                                            content-type: application/json; charset=utf-8
                                                                                                                                                                            Content-Length: 980
                                                                                                                                                                            access-control-allow-origin: *
                                                                                                                                                                            x-frame-options: SAMEORIGIN
                                                                                                                                                                            x-xss-protection: 1; mode=block
                                                                                                                                                                            x-content-type-options: nosniff
                                                                                                                                                                            referrer-policy: strict-origin-when-cross-origin
                                                                                                                                                                            x-envoy-upstream-service-time: 2
                                                                                                                                                                            via: 1.1 google
                                                                                                                                                                            strict-transport-security: max-age=2592000; includeSubDomains
                                                                                                                                                                            Alt-Svc: h3=":443"; ma=2592000,h3-29=":443"; ma=2592000
                                                                                                                                                                            Connection: close
                                                                                                                                                                            2024-04-18 08:29:21 UTC742INData Raw: 7b 0a 20 20 22 69 6e 70 75 74 22 3a 20 22 38 31 2e 31 38 31 2e 35 37 2e 35 32 22 2c 0a 20 20 22 64 61 74 61 22 3a 20 7b 0a 20 20 20 20 22 69 70 22 3a 20 22 38 31 2e 31 38 31 2e 35 37 2e 35 32 22 2c 0a 20 20 20 20 22 63 69 74 79 22 3a 20 22 41 74 6c 61 6e 74 61 22 2c 0a 20 20 20 20 22 72 65 67 69 6f 6e 22 3a 20 22 47 65 6f 72 67 69 61 22 2c 0a 20 20 20 20 22 63 6f 75 6e 74 72 79 22 3a 20 22 55 53 22 2c 0a 20 20 20 20 22 6c 6f 63 22 3a 20 22 33 33 2e 37 34 39 30 2c 2d 38 34 2e 33 38 38 30 22 2c 0a 20 20 20 20 22 6f 72 67 22 3a 20 22 41 53 32 31 32 32 33 38 20 44 61 74 61 63 61 6d 70 20 4c 69 6d 69 74 65 64 22 2c 0a 20 20 20 20 22 70 6f 73 74 61 6c 22 3a 20 22 33 30 33 30 32 22 2c 0a 20 20 20 20 22 74 69 6d 65 7a 6f 6e 65 22 3a 20 22 41 6d 65 72 69 63 61 2f
                                                                                                                                                                            Data Ascii: { "input": "81.181.57.52", "data": { "ip": "81.181.57.52", "city": "Atlanta", "region": "Georgia", "country": "US", "loc": "33.7490,-84.3880", "org": "AS212238 Datacamp Limited", "postal": "30302", "timezone": "America/
                                                                                                                                                                            2024-04-18 08:29:21 UTC238INData Raw: 61 64 64 72 65 73 73 22 3a 20 22 41 76 65 72 65 73 63 75 20 4d 61 72 65 73 61 6c 20 38 2d 31 30 2c 20 42 75 63 68 61 72 65 73 74 2c 20 52 6f 6d 61 6e 69 61 22 2c 0a 20 20 20 20 20 20 22 63 6f 75 6e 74 72 79 22 3a 20 22 52 4f 22 2c 0a 20 20 20 20 20 20 22 65 6d 61 69 6c 22 3a 20 22 61 62 75 73 65 2d 62 69 6e 62 6f 78 40 72 6e 63 2e 72 6f 22 2c 0a 20 20 20 20 20 20 22 6e 61 6d 65 22 3a 20 22 41 62 75 73 65 20 63 6f 6e 74 61 63 74 20 72 6f 6c 65 20 6f 62 6a 65 63 74 22 2c 0a 20 20 20 20 20 20 22 6e 65 74 77 6f 72 6b 22 3a 20 22 38 31 2e 31 38 31 2e 34 38 2e 30 2f 32 30 22 2c 0a 20 20 20 20 20 20 22 70 68 6f 6e 65 22 3a 20 22 2b 34 30 20 33 37 38 20 36 30 30 20 30 30 30 22 0a 20 20 20 20 7d 0a 20 20 7d 0a 7d
                                                                                                                                                                            Data Ascii: address": "Averescu Maresal 8-10, Bucharest, Romania", "country": "RO", "email": "abuse-binbox@rnc.ro", "name": "Abuse contact role object", "network": "81.181.48.0/20", "phone": "+40 378 600 000" } }}


                                                                                                                                                                            Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                                                                                                                                                            1192.168.2.449738104.26.4.154437328C:\Users\user\Desktop\file.exe
                                                                                                                                                                            TimestampBytes transferredDirectionData
                                                                                                                                                                            2024-04-18 08:29:21 UTC261OUTGET /demo/home.php?s=81.181.57.52 HTTP/1.1
                                                                                                                                                                            Connection: Keep-Alive
                                                                                                                                                                            Content-Type: application/x-www-form-urlencoded
                                                                                                                                                                            User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/119.0.0.0 Safari/537.36
                                                                                                                                                                            Host: db-ip.com
                                                                                                                                                                            2024-04-18 08:29:21 UTC660INHTTP/1.1 200 OK
                                                                                                                                                                            Date: Thu, 18 Apr 2024 08:29:21 GMT
                                                                                                                                                                            Content-Type: application/json
                                                                                                                                                                            Transfer-Encoding: chunked
                                                                                                                                                                            Connection: close
                                                                                                                                                                            x-iplb-request-id: AC471E2C:3062_93878F2E:0050_6620D9E1_8A0B400:7B63
                                                                                                                                                                            x-iplb-instance: 59128
                                                                                                                                                                            CF-Cache-Status: DYNAMIC
                                                                                                                                                                            Report-To: {"endpoints":[{"url":"https:\/\/a.nel.cloudflare.com\/report\/v4?s=HmgaHY5j%2BqL8E47Rw4n8JxcHh7ytoqR1R%2Bf%2Fm7yt5iqS9Cd09qGFCLp%2BY2C9eAbFQpVcfmf22YDzjmWmFxuXNVUE%2FYBiNTI5jBOePAlWK6rtkr%2BabWnK83EjCA%3D%3D"}],"group":"cf-nel","max_age":604800}
                                                                                                                                                                            NEL: {"success_fraction":0,"report_to":"cf-nel","max_age":604800}
                                                                                                                                                                            Server: cloudflare
                                                                                                                                                                            CF-RAY: 87634962994fadd2-ATL
                                                                                                                                                                            alt-svc: h3=":443"; ma=86400
                                                                                                                                                                            2024-04-18 08:29:21 UTC85INData Raw: 34 66 0d 0a 7b 22 73 74 61 74 75 73 22 3a 22 6f 6b 22 2c 22 64 65 6d 6f 49 6e 66 6f 22 3a 7b 22 65 72 72 6f 72 22 3a 22 6f 76 65 72 20 71 75 65 72 79 20 6c 69 6d 69 74 2c 20 70 6c 65 61 73 65 20 74 72 79 20 61 67 61 69 6e 20 6c 61 74 65 72 22 7d 7d 0d 0a
                                                                                                                                                                            Data Ascii: 4f{"status":"ok","demoInfo":{"error":"over query limit, please try again later"}}
                                                                                                                                                                            2024-04-18 08:29:21 UTC5INData Raw: 30 0d 0a 0d 0a
                                                                                                                                                                            Data Ascii: 0


                                                                                                                                                                            Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                                                                                                                                                            2192.168.2.44974134.117.186.1924437988C:\Users\user\AppData\Local\RageMP131\RageMP131.exe
                                                                                                                                                                            TimestampBytes transferredDirectionData
                                                                                                                                                                            2024-04-18 08:29:42 UTC237OUTGET /widget/demo/81.181.57.52 HTTP/1.1
                                                                                                                                                                            Connection: Keep-Alive
                                                                                                                                                                            Referer: https://ipinfo.io/
                                                                                                                                                                            User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/119.0.0.0 Safari/537.36
                                                                                                                                                                            Host: ipinfo.io
                                                                                                                                                                            2024-04-18 08:29:42 UTC513INHTTP/1.1 200 OK
                                                                                                                                                                            server: nginx/1.24.0
                                                                                                                                                                            date: Thu, 18 Apr 2024 08:29:42 GMT
                                                                                                                                                                            content-type: application/json; charset=utf-8
                                                                                                                                                                            Content-Length: 980
                                                                                                                                                                            access-control-allow-origin: *
                                                                                                                                                                            x-frame-options: SAMEORIGIN
                                                                                                                                                                            x-xss-protection: 1; mode=block
                                                                                                                                                                            x-content-type-options: nosniff
                                                                                                                                                                            referrer-policy: strict-origin-when-cross-origin
                                                                                                                                                                            x-envoy-upstream-service-time: 3
                                                                                                                                                                            via: 1.1 google
                                                                                                                                                                            strict-transport-security: max-age=2592000; includeSubDomains
                                                                                                                                                                            Alt-Svc: h3=":443"; ma=2592000,h3-29=":443"; ma=2592000
                                                                                                                                                                            Connection: close
                                                                                                                                                                            2024-04-18 08:29:42 UTC742INData Raw: 7b 0a 20 20 22 69 6e 70 75 74 22 3a 20 22 38 31 2e 31 38 31 2e 35 37 2e 35 32 22 2c 0a 20 20 22 64 61 74 61 22 3a 20 7b 0a 20 20 20 20 22 69 70 22 3a 20 22 38 31 2e 31 38 31 2e 35 37 2e 35 32 22 2c 0a 20 20 20 20 22 63 69 74 79 22 3a 20 22 41 74 6c 61 6e 74 61 22 2c 0a 20 20 20 20 22 72 65 67 69 6f 6e 22 3a 20 22 47 65 6f 72 67 69 61 22 2c 0a 20 20 20 20 22 63 6f 75 6e 74 72 79 22 3a 20 22 55 53 22 2c 0a 20 20 20 20 22 6c 6f 63 22 3a 20 22 33 33 2e 37 34 39 30 2c 2d 38 34 2e 33 38 38 30 22 2c 0a 20 20 20 20 22 6f 72 67 22 3a 20 22 41 53 32 31 32 32 33 38 20 44 61 74 61 63 61 6d 70 20 4c 69 6d 69 74 65 64 22 2c 0a 20 20 20 20 22 70 6f 73 74 61 6c 22 3a 20 22 33 30 33 30 32 22 2c 0a 20 20 20 20 22 74 69 6d 65 7a 6f 6e 65 22 3a 20 22 41 6d 65 72 69 63 61 2f
                                                                                                                                                                            Data Ascii: { "input": "81.181.57.52", "data": { "ip": "81.181.57.52", "city": "Atlanta", "region": "Georgia", "country": "US", "loc": "33.7490,-84.3880", "org": "AS212238 Datacamp Limited", "postal": "30302", "timezone": "America/
                                                                                                                                                                            2024-04-18 08:29:42 UTC238INData Raw: 61 64 64 72 65 73 73 22 3a 20 22 41 76 65 72 65 73 63 75 20 4d 61 72 65 73 61 6c 20 38 2d 31 30 2c 20 42 75 63 68 61 72 65 73 74 2c 20 52 6f 6d 61 6e 69 61 22 2c 0a 20 20 20 20 20 20 22 63 6f 75 6e 74 72 79 22 3a 20 22 52 4f 22 2c 0a 20 20 20 20 20 20 22 65 6d 61 69 6c 22 3a 20 22 61 62 75 73 65 2d 62 69 6e 62 6f 78 40 72 6e 63 2e 72 6f 22 2c 0a 20 20 20 20 20 20 22 6e 61 6d 65 22 3a 20 22 41 62 75 73 65 20 63 6f 6e 74 61 63 74 20 72 6f 6c 65 20 6f 62 6a 65 63 74 22 2c 0a 20 20 20 20 20 20 22 6e 65 74 77 6f 72 6b 22 3a 20 22 38 31 2e 31 38 31 2e 34 38 2e 30 2f 32 30 22 2c 0a 20 20 20 20 20 20 22 70 68 6f 6e 65 22 3a 20 22 2b 34 30 20 33 37 38 20 36 30 30 20 30 30 30 22 0a 20 20 20 20 7d 0a 20 20 7d 0a 7d
                                                                                                                                                                            Data Ascii: address": "Averescu Maresal 8-10, Bucharest, Romania", "country": "RO", "email": "abuse-binbox@rnc.ro", "name": "Abuse contact role object", "network": "81.181.48.0/20", "phone": "+40 378 600 000" } }}


                                                                                                                                                                            Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                                                                                                                                                            3192.168.2.449742104.26.4.154437988C:\Users\user\AppData\Local\RageMP131\RageMP131.exe
                                                                                                                                                                            TimestampBytes transferredDirectionData
                                                                                                                                                                            2024-04-18 08:29:42 UTC261OUTGET /demo/home.php?s=81.181.57.52 HTTP/1.1
                                                                                                                                                                            Connection: Keep-Alive
                                                                                                                                                                            Content-Type: application/x-www-form-urlencoded
                                                                                                                                                                            User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/119.0.0.0 Safari/537.36
                                                                                                                                                                            Host: db-ip.com
                                                                                                                                                                            2024-04-18 08:29:43 UTC660INHTTP/1.1 200 OK
                                                                                                                                                                            Date: Thu, 18 Apr 2024 08:29:43 GMT
                                                                                                                                                                            Content-Type: application/json
                                                                                                                                                                            Transfer-Encoding: chunked
                                                                                                                                                                            Connection: close
                                                                                                                                                                            x-iplb-request-id: AC4546E9:B7E4_93878F2E:0050_6620D9F7_8A36ECB:4F34
                                                                                                                                                                            x-iplb-instance: 59215
                                                                                                                                                                            CF-Cache-Status: DYNAMIC
                                                                                                                                                                            Report-To: {"endpoints":[{"url":"https:\/\/a.nel.cloudflare.com\/report\/v4?s=e7AH%2FE4gT%2F9k5vQ%2BWKSwOiFfvUAeBwndwY447miWGOXQagH%2BA4OljMze5CdRuUHR5wnaRlFzWH46bMT9VLtwL%2BTy3xHlH6FTTQg5otBw5o2bTM7rS4%2FGyanSIQ%3D%3D"}],"group":"cf-nel","max_age":604800}
                                                                                                                                                                            NEL: {"success_fraction":0,"report_to":"cf-nel","max_age":604800}
                                                                                                                                                                            Server: cloudflare
                                                                                                                                                                            CF-RAY: 876349e81d5a674f-ATL
                                                                                                                                                                            alt-svc: h3=":443"; ma=86400
                                                                                                                                                                            2024-04-18 08:29:43 UTC85INData Raw: 34 66 0d 0a 7b 22 73 74 61 74 75 73 22 3a 22 6f 6b 22 2c 22 64 65 6d 6f 49 6e 66 6f 22 3a 7b 22 65 72 72 6f 72 22 3a 22 6f 76 65 72 20 71 75 65 72 79 20 6c 69 6d 69 74 2c 20 70 6c 65 61 73 65 20 74 72 79 20 61 67 61 69 6e 20 6c 61 74 65 72 22 7d 7d 0d 0a
                                                                                                                                                                            Data Ascii: 4f{"status":"ok","demoInfo":{"error":"over query limit, please try again later"}}
                                                                                                                                                                            2024-04-18 08:29:43 UTC5INData Raw: 30 0d 0a 0d 0a
                                                                                                                                                                            Data Ascii: 0


                                                                                                                                                                            Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                                                                                                                                                            4192.168.2.44974334.117.186.1924432352C:\Users\user\AppData\Local\RageMP131\RageMP131.exe
                                                                                                                                                                            TimestampBytes transferredDirectionData
                                                                                                                                                                            2024-04-18 08:29:47 UTC237OUTGET /widget/demo/81.181.57.52 HTTP/1.1
                                                                                                                                                                            Connection: Keep-Alive
                                                                                                                                                                            Referer: https://ipinfo.io/
                                                                                                                                                                            User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/119.0.0.0 Safari/537.36
                                                                                                                                                                            Host: ipinfo.io
                                                                                                                                                                            2024-04-18 08:29:47 UTC513INHTTP/1.1 200 OK
                                                                                                                                                                            server: nginx/1.24.0
                                                                                                                                                                            date: Thu, 18 Apr 2024 08:29:47 GMT
                                                                                                                                                                            content-type: application/json; charset=utf-8
                                                                                                                                                                            Content-Length: 980
                                                                                                                                                                            access-control-allow-origin: *
                                                                                                                                                                            x-frame-options: SAMEORIGIN
                                                                                                                                                                            x-xss-protection: 1; mode=block
                                                                                                                                                                            x-content-type-options: nosniff
                                                                                                                                                                            referrer-policy: strict-origin-when-cross-origin
                                                                                                                                                                            x-envoy-upstream-service-time: 2
                                                                                                                                                                            via: 1.1 google
                                                                                                                                                                            strict-transport-security: max-age=2592000; includeSubDomains
                                                                                                                                                                            Alt-Svc: h3=":443"; ma=2592000,h3-29=":443"; ma=2592000
                                                                                                                                                                            Connection: close
                                                                                                                                                                            2024-04-18 08:29:47 UTC742INData Raw: 7b 0a 20 20 22 69 6e 70 75 74 22 3a 20 22 38 31 2e 31 38 31 2e 35 37 2e 35 32 22 2c 0a 20 20 22 64 61 74 61 22 3a 20 7b 0a 20 20 20 20 22 69 70 22 3a 20 22 38 31 2e 31 38 31 2e 35 37 2e 35 32 22 2c 0a 20 20 20 20 22 63 69 74 79 22 3a 20 22 41 74 6c 61 6e 74 61 22 2c 0a 20 20 20 20 22 72 65 67 69 6f 6e 22 3a 20 22 47 65 6f 72 67 69 61 22 2c 0a 20 20 20 20 22 63 6f 75 6e 74 72 79 22 3a 20 22 55 53 22 2c 0a 20 20 20 20 22 6c 6f 63 22 3a 20 22 33 33 2e 37 34 39 30 2c 2d 38 34 2e 33 38 38 30 22 2c 0a 20 20 20 20 22 6f 72 67 22 3a 20 22 41 53 32 31 32 32 33 38 20 44 61 74 61 63 61 6d 70 20 4c 69 6d 69 74 65 64 22 2c 0a 20 20 20 20 22 70 6f 73 74 61 6c 22 3a 20 22 33 30 33 30 32 22 2c 0a 20 20 20 20 22 74 69 6d 65 7a 6f 6e 65 22 3a 20 22 41 6d 65 72 69 63 61 2f
                                                                                                                                                                            Data Ascii: { "input": "81.181.57.52", "data": { "ip": "81.181.57.52", "city": "Atlanta", "region": "Georgia", "country": "US", "loc": "33.7490,-84.3880", "org": "AS212238 Datacamp Limited", "postal": "30302", "timezone": "America/
                                                                                                                                                                            2024-04-18 08:29:47 UTC238INData Raw: 61 64 64 72 65 73 73 22 3a 20 22 41 76 65 72 65 73 63 75 20 4d 61 72 65 73 61 6c 20 38 2d 31 30 2c 20 42 75 63 68 61 72 65 73 74 2c 20 52 6f 6d 61 6e 69 61 22 2c 0a 20 20 20 20 20 20 22 63 6f 75 6e 74 72 79 22 3a 20 22 52 4f 22 2c 0a 20 20 20 20 20 20 22 65 6d 61 69 6c 22 3a 20 22 61 62 75 73 65 2d 62 69 6e 62 6f 78 40 72 6e 63 2e 72 6f 22 2c 0a 20 20 20 20 20 20 22 6e 61 6d 65 22 3a 20 22 41 62 75 73 65 20 63 6f 6e 74 61 63 74 20 72 6f 6c 65 20 6f 62 6a 65 63 74 22 2c 0a 20 20 20 20 20 20 22 6e 65 74 77 6f 72 6b 22 3a 20 22 38 31 2e 31 38 31 2e 34 38 2e 30 2f 32 30 22 2c 0a 20 20 20 20 20 20 22 70 68 6f 6e 65 22 3a 20 22 2b 34 30 20 33 37 38 20 36 30 30 20 30 30 30 22 0a 20 20 20 20 7d 0a 20 20 7d 0a 7d
                                                                                                                                                                            Data Ascii: address": "Averescu Maresal 8-10, Bucharest, Romania", "country": "RO", "email": "abuse-binbox@rnc.ro", "name": "Abuse contact role object", "network": "81.181.48.0/20", "phone": "+40 378 600 000" } }}


                                                                                                                                                                            Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                                                                                                                                                            5192.168.2.449744104.26.4.154432352C:\Users\user\AppData\Local\RageMP131\RageMP131.exe
                                                                                                                                                                            TimestampBytes transferredDirectionData
                                                                                                                                                                            2024-04-18 08:29:48 UTC261OUTGET /demo/home.php?s=81.181.57.52 HTTP/1.1
                                                                                                                                                                            Connection: Keep-Alive
                                                                                                                                                                            Content-Type: application/x-www-form-urlencoded
                                                                                                                                                                            User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/119.0.0.0 Safari/537.36
                                                                                                                                                                            Host: db-ip.com
                                                                                                                                                                            2024-04-18 08:29:49 UTC660INHTTP/1.1 200 OK
                                                                                                                                                                            Date: Thu, 18 Apr 2024 08:29:48 GMT
                                                                                                                                                                            Content-Type: application/json
                                                                                                                                                                            Transfer-Encoding: chunked
                                                                                                                                                                            Connection: close
                                                                                                                                                                            x-iplb-request-id: AC454797:59C6_93878F2E:0050_6620D9FC_8A0B99B:7B63
                                                                                                                                                                            x-iplb-instance: 59128
                                                                                                                                                                            CF-Cache-Status: DYNAMIC
                                                                                                                                                                            Report-To: {"endpoints":[{"url":"https:\/\/a.nel.cloudflare.com\/report\/v4?s=ol4GG5ug5N5NERZZANJSTHCY%2Bws23ert3WmM8TnwbmdY2N6Bh8zrySe1%2BSWzstXXo1Buob%2BHKPuYX%2BGZkI5Z%2Fl4q13aUNgKZDeJRDuB%2FjkvfZZrgobFvnQF0Ug%3D%3D"}],"group":"cf-nel","max_age":604800}
                                                                                                                                                                            NEL: {"success_fraction":0,"report_to":"cf-nel","max_age":604800}
                                                                                                                                                                            Server: cloudflare
                                                                                                                                                                            CF-RAY: 87634a0c583144e5-ATL
                                                                                                                                                                            alt-svc: h3=":443"; ma=86400
                                                                                                                                                                            2024-04-18 08:29:49 UTC85INData Raw: 34 66 0d 0a 7b 22 73 74 61 74 75 73 22 3a 22 6f 6b 22 2c 22 64 65 6d 6f 49 6e 66 6f 22 3a 7b 22 65 72 72 6f 72 22 3a 22 6f 76 65 72 20 71 75 65 72 79 20 6c 69 6d 69 74 2c 20 70 6c 65 61 73 65 20 74 72 79 20 61 67 61 69 6e 20 6c 61 74 65 72 22 7d 7d 0d 0a
                                                                                                                                                                            Data Ascii: 4f{"status":"ok","demoInfo":{"error":"over query limit, please try again later"}}
                                                                                                                                                                            2024-04-18 08:29:49 UTC5INData Raw: 30 0d 0a 0d 0a
                                                                                                                                                                            Data Ascii: 0


                                                                                                                                                                            Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                                                                                                                                                            6192.168.2.44974834.117.186.1924437584C:\ProgramData\MPGPH131\MPGPH131.exe
                                                                                                                                                                            TimestampBytes transferredDirectionData
                                                                                                                                                                            2024-04-18 08:30:15 UTC237OUTGET /widget/demo/81.181.57.52 HTTP/1.1
                                                                                                                                                                            Connection: Keep-Alive
                                                                                                                                                                            Referer: https://ipinfo.io/
                                                                                                                                                                            User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/119.0.0.0 Safari/537.36
                                                                                                                                                                            Host: ipinfo.io
                                                                                                                                                                            2024-04-18 08:30:15 UTC513INHTTP/1.1 200 OK
                                                                                                                                                                            server: nginx/1.24.0
                                                                                                                                                                            date: Thu, 18 Apr 2024 08:30:15 GMT
                                                                                                                                                                            content-type: application/json; charset=utf-8
                                                                                                                                                                            Content-Length: 980
                                                                                                                                                                            access-control-allow-origin: *
                                                                                                                                                                            x-frame-options: SAMEORIGIN
                                                                                                                                                                            x-xss-protection: 1; mode=block
                                                                                                                                                                            x-content-type-options: nosniff
                                                                                                                                                                            referrer-policy: strict-origin-when-cross-origin
                                                                                                                                                                            x-envoy-upstream-service-time: 3
                                                                                                                                                                            via: 1.1 google
                                                                                                                                                                            strict-transport-security: max-age=2592000; includeSubDomains
                                                                                                                                                                            Alt-Svc: h3=":443"; ma=2592000,h3-29=":443"; ma=2592000
                                                                                                                                                                            Connection: close
                                                                                                                                                                            2024-04-18 08:30:15 UTC742INData Raw: 7b 0a 20 20 22 69 6e 70 75 74 22 3a 20 22 38 31 2e 31 38 31 2e 35 37 2e 35 32 22 2c 0a 20 20 22 64 61 74 61 22 3a 20 7b 0a 20 20 20 20 22 69 70 22 3a 20 22 38 31 2e 31 38 31 2e 35 37 2e 35 32 22 2c 0a 20 20 20 20 22 63 69 74 79 22 3a 20 22 41 74 6c 61 6e 74 61 22 2c 0a 20 20 20 20 22 72 65 67 69 6f 6e 22 3a 20 22 47 65 6f 72 67 69 61 22 2c 0a 20 20 20 20 22 63 6f 75 6e 74 72 79 22 3a 20 22 55 53 22 2c 0a 20 20 20 20 22 6c 6f 63 22 3a 20 22 33 33 2e 37 34 39 30 2c 2d 38 34 2e 33 38 38 30 22 2c 0a 20 20 20 20 22 6f 72 67 22 3a 20 22 41 53 32 31 32 32 33 38 20 44 61 74 61 63 61 6d 70 20 4c 69 6d 69 74 65 64 22 2c 0a 20 20 20 20 22 70 6f 73 74 61 6c 22 3a 20 22 33 30 33 30 32 22 2c 0a 20 20 20 20 22 74 69 6d 65 7a 6f 6e 65 22 3a 20 22 41 6d 65 72 69 63 61 2f
                                                                                                                                                                            Data Ascii: { "input": "81.181.57.52", "data": { "ip": "81.181.57.52", "city": "Atlanta", "region": "Georgia", "country": "US", "loc": "33.7490,-84.3880", "org": "AS212238 Datacamp Limited", "postal": "30302", "timezone": "America/
                                                                                                                                                                            2024-04-18 08:30:15 UTC238INData Raw: 61 64 64 72 65 73 73 22 3a 20 22 41 76 65 72 65 73 63 75 20 4d 61 72 65 73 61 6c 20 38 2d 31 30 2c 20 42 75 63 68 61 72 65 73 74 2c 20 52 6f 6d 61 6e 69 61 22 2c 0a 20 20 20 20 20 20 22 63 6f 75 6e 74 72 79 22 3a 20 22 52 4f 22 2c 0a 20 20 20 20 20 20 22 65 6d 61 69 6c 22 3a 20 22 61 62 75 73 65 2d 62 69 6e 62 6f 78 40 72 6e 63 2e 72 6f 22 2c 0a 20 20 20 20 20 20 22 6e 61 6d 65 22 3a 20 22 41 62 75 73 65 20 63 6f 6e 74 61 63 74 20 72 6f 6c 65 20 6f 62 6a 65 63 74 22 2c 0a 20 20 20 20 20 20 22 6e 65 74 77 6f 72 6b 22 3a 20 22 38 31 2e 31 38 31 2e 34 38 2e 30 2f 32 30 22 2c 0a 20 20 20 20 20 20 22 70 68 6f 6e 65 22 3a 20 22 2b 34 30 20 33 37 38 20 36 30 30 20 30 30 30 22 0a 20 20 20 20 7d 0a 20 20 7d 0a 7d
                                                                                                                                                                            Data Ascii: address": "Averescu Maresal 8-10, Bucharest, Romania", "country": "RO", "email": "abuse-binbox@rnc.ro", "name": "Abuse contact role object", "network": "81.181.48.0/20", "phone": "+40 378 600 000" } }}


                                                                                                                                                                            Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                                                                                                                                                            7192.168.2.44974934.117.186.1924437592C:\ProgramData\MPGPH131\MPGPH131.exe
                                                                                                                                                                            TimestampBytes transferredDirectionData
                                                                                                                                                                            2024-04-18 08:30:15 UTC237OUTGET /widget/demo/81.181.57.52 HTTP/1.1
                                                                                                                                                                            Connection: Keep-Alive
                                                                                                                                                                            Referer: https://ipinfo.io/
                                                                                                                                                                            User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/119.0.0.0 Safari/537.36
                                                                                                                                                                            Host: ipinfo.io
                                                                                                                                                                            2024-04-18 08:30:15 UTC513INHTTP/1.1 200 OK
                                                                                                                                                                            server: nginx/1.24.0
                                                                                                                                                                            date: Thu, 18 Apr 2024 08:30:15 GMT
                                                                                                                                                                            content-type: application/json; charset=utf-8
                                                                                                                                                                            Content-Length: 980
                                                                                                                                                                            access-control-allow-origin: *
                                                                                                                                                                            x-frame-options: SAMEORIGIN
                                                                                                                                                                            x-xss-protection: 1; mode=block
                                                                                                                                                                            x-content-type-options: nosniff
                                                                                                                                                                            referrer-policy: strict-origin-when-cross-origin
                                                                                                                                                                            x-envoy-upstream-service-time: 2
                                                                                                                                                                            via: 1.1 google
                                                                                                                                                                            strict-transport-security: max-age=2592000; includeSubDomains
                                                                                                                                                                            Alt-Svc: h3=":443"; ma=2592000,h3-29=":443"; ma=2592000
                                                                                                                                                                            Connection: close
                                                                                                                                                                            2024-04-18 08:30:15 UTC742INData Raw: 7b 0a 20 20 22 69 6e 70 75 74 22 3a 20 22 38 31 2e 31 38 31 2e 35 37 2e 35 32 22 2c 0a 20 20 22 64 61 74 61 22 3a 20 7b 0a 20 20 20 20 22 69 70 22 3a 20 22 38 31 2e 31 38 31 2e 35 37 2e 35 32 22 2c 0a 20 20 20 20 22 63 69 74 79 22 3a 20 22 41 74 6c 61 6e 74 61 22 2c 0a 20 20 20 20 22 72 65 67 69 6f 6e 22 3a 20 22 47 65 6f 72 67 69 61 22 2c 0a 20 20 20 20 22 63 6f 75 6e 74 72 79 22 3a 20 22 55 53 22 2c 0a 20 20 20 20 22 6c 6f 63 22 3a 20 22 33 33 2e 37 34 39 30 2c 2d 38 34 2e 33 38 38 30 22 2c 0a 20 20 20 20 22 6f 72 67 22 3a 20 22 41 53 32 31 32 32 33 38 20 44 61 74 61 63 61 6d 70 20 4c 69 6d 69 74 65 64 22 2c 0a 20 20 20 20 22 70 6f 73 74 61 6c 22 3a 20 22 33 30 33 30 32 22 2c 0a 20 20 20 20 22 74 69 6d 65 7a 6f 6e 65 22 3a 20 22 41 6d 65 72 69 63 61 2f
                                                                                                                                                                            Data Ascii: { "input": "81.181.57.52", "data": { "ip": "81.181.57.52", "city": "Atlanta", "region": "Georgia", "country": "US", "loc": "33.7490,-84.3880", "org": "AS212238 Datacamp Limited", "postal": "30302", "timezone": "America/
                                                                                                                                                                            2024-04-18 08:30:15 UTC238INData Raw: 61 64 64 72 65 73 73 22 3a 20 22 41 76 65 72 65 73 63 75 20 4d 61 72 65 73 61 6c 20 38 2d 31 30 2c 20 42 75 63 68 61 72 65 73 74 2c 20 52 6f 6d 61 6e 69 61 22 2c 0a 20 20 20 20 20 20 22 63 6f 75 6e 74 72 79 22 3a 20 22 52 4f 22 2c 0a 20 20 20 20 20 20 22 65 6d 61 69 6c 22 3a 20 22 61 62 75 73 65 2d 62 69 6e 62 6f 78 40 72 6e 63 2e 72 6f 22 2c 0a 20 20 20 20 20 20 22 6e 61 6d 65 22 3a 20 22 41 62 75 73 65 20 63 6f 6e 74 61 63 74 20 72 6f 6c 65 20 6f 62 6a 65 63 74 22 2c 0a 20 20 20 20 20 20 22 6e 65 74 77 6f 72 6b 22 3a 20 22 38 31 2e 31 38 31 2e 34 38 2e 30 2f 32 30 22 2c 0a 20 20 20 20 20 20 22 70 68 6f 6e 65 22 3a 20 22 2b 34 30 20 33 37 38 20 36 30 30 20 30 30 30 22 0a 20 20 20 20 7d 0a 20 20 7d 0a 7d
                                                                                                                                                                            Data Ascii: address": "Averescu Maresal 8-10, Bucharest, Romania", "country": "RO", "email": "abuse-binbox@rnc.ro", "name": "Abuse contact role object", "network": "81.181.48.0/20", "phone": "+40 378 600 000" } }}


                                                                                                                                                                            Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                                                                                                                                                            8192.168.2.449750104.26.4.154437584C:\ProgramData\MPGPH131\MPGPH131.exe
                                                                                                                                                                            TimestampBytes transferredDirectionData
                                                                                                                                                                            2024-04-18 08:30:16 UTC261OUTGET /demo/home.php?s=81.181.57.52 HTTP/1.1
                                                                                                                                                                            Connection: Keep-Alive
                                                                                                                                                                            Content-Type: application/x-www-form-urlencoded
                                                                                                                                                                            User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/119.0.0.0 Safari/537.36
                                                                                                                                                                            Host: db-ip.com
                                                                                                                                                                            2024-04-18 08:30:16 UTC658INHTTP/1.1 200 OK
                                                                                                                                                                            Date: Thu, 18 Apr 2024 08:30:16 GMT
                                                                                                                                                                            Content-Type: application/json
                                                                                                                                                                            Transfer-Encoding: chunked
                                                                                                                                                                            Connection: close
                                                                                                                                                                            x-iplb-request-id: 6CA2EE4C:7634_93878F2E:0050_6620DA18_8A37467:4F34
                                                                                                                                                                            x-iplb-instance: 59215
                                                                                                                                                                            CF-Cache-Status: DYNAMIC
                                                                                                                                                                            Report-To: {"endpoints":[{"url":"https:\/\/a.nel.cloudflare.com\/report\/v4?s=72hCCpcoOaaHEpoZMYYe0%2Bby7pwnBBapIME9kKOTYVVMTbSiY%2F5E9H5V6%2Fg36pazTKctNKo3rNENRpa5BmYQp2Gi3wezeR4OvWAWc2aGAvCuT%2Fqtx3p2LOoo%2Fw%3D%3D"}],"group":"cf-nel","max_age":604800}
                                                                                                                                                                            NEL: {"success_fraction":0,"report_to":"cf-nel","max_age":604800}
                                                                                                                                                                            Server: cloudflare
                                                                                                                                                                            CF-RAY: 87634ab7fc671f9d-ATL
                                                                                                                                                                            alt-svc: h3=":443"; ma=86400
                                                                                                                                                                            2024-04-18 08:30:16 UTC85INData Raw: 34 66 0d 0a 7b 22 73 74 61 74 75 73 22 3a 22 6f 6b 22 2c 22 64 65 6d 6f 49 6e 66 6f 22 3a 7b 22 65 72 72 6f 72 22 3a 22 6f 76 65 72 20 71 75 65 72 79 20 6c 69 6d 69 74 2c 20 70 6c 65 61 73 65 20 74 72 79 20 61 67 61 69 6e 20 6c 61 74 65 72 22 7d 7d 0d 0a
                                                                                                                                                                            Data Ascii: 4f{"status":"ok","demoInfo":{"error":"over query limit, please try again later"}}
                                                                                                                                                                            2024-04-18 08:30:16 UTC5INData Raw: 30 0d 0a 0d 0a
                                                                                                                                                                            Data Ascii: 0


                                                                                                                                                                            Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                                                                                                                                                            9192.168.2.449751104.26.4.154437592C:\ProgramData\MPGPH131\MPGPH131.exe
                                                                                                                                                                            TimestampBytes transferredDirectionData
                                                                                                                                                                            2024-04-18 08:30:16 UTC261OUTGET /demo/home.php?s=81.181.57.52 HTTP/1.1
                                                                                                                                                                            Connection: Keep-Alive
                                                                                                                                                                            Content-Type: application/x-www-form-urlencoded
                                                                                                                                                                            User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/119.0.0.0 Safari/537.36
                                                                                                                                                                            Host: db-ip.com
                                                                                                                                                                            2024-04-18 08:30:16 UTC648INHTTP/1.1 200 OK
                                                                                                                                                                            Date: Thu, 18 Apr 2024 08:30:16 GMT
                                                                                                                                                                            Content-Type: application/json
                                                                                                                                                                            Transfer-Encoding: chunked
                                                                                                                                                                            Connection: close
                                                                                                                                                                            x-iplb-request-id: AC471F62:F84C_93878F2E:0050_6620DA18_8A0BD97:7B63
                                                                                                                                                                            x-iplb-instance: 59128
                                                                                                                                                                            CF-Cache-Status: DYNAMIC
                                                                                                                                                                            Report-To: {"endpoints":[{"url":"https:\/\/a.nel.cloudflare.com\/report\/v4?s=G2UsVHfwJ0Ebh38mdX6NCaCSKgwdoTkFZ1RqQNQpeJgabzettT35JmfBnaUwalalf5QzhIlw7uJagrIdSurwL7hNFds9Cr0vLfUFEjcTcS9yqyckeutEf9ec6w%3D%3D"}],"group":"cf-nel","max_age":604800}
                                                                                                                                                                            NEL: {"success_fraction":0,"report_to":"cf-nel","max_age":604800}
                                                                                                                                                                            Server: cloudflare
                                                                                                                                                                            CF-RAY: 87634ab808987be2-ATL
                                                                                                                                                                            alt-svc: h3=":443"; ma=86400
                                                                                                                                                                            2024-04-18 08:30:16 UTC85INData Raw: 34 66 0d 0a 7b 22 73 74 61 74 75 73 22 3a 22 6f 6b 22 2c 22 64 65 6d 6f 49 6e 66 6f 22 3a 7b 22 65 72 72 6f 72 22 3a 22 6f 76 65 72 20 71 75 65 72 79 20 6c 69 6d 69 74 2c 20 70 6c 65 61 73 65 20 74 72 79 20 61 67 61 69 6e 20 6c 61 74 65 72 22 7d 7d 0d 0a
                                                                                                                                                                            Data Ascii: 4f{"status":"ok","demoInfo":{"error":"over query limit, please try again later"}}
                                                                                                                                                                            2024-04-18 08:30:16 UTC5INData Raw: 30 0d 0a 0d 0a
                                                                                                                                                                            Data Ascii: 0


                                                                                                                                                                            Statistics

                                                                                                                                                                            CPU Usage

                                                                                                                                                                            Click to jump to process

                                                                                                                                                                            Memory Usage

                                                                                                                                                                            Click to jump to process

                                                                                                                                                                            High Level Behavior Distribution

                                                                                                                                                                            Click to dive into process behavior distribution

                                                                                                                                                                            Behavior

                                                                                                                                                                            Click to jump to process

                                                                                                                                                                            System Behavior

                                                                                                                                                                            General

                                                                                                                                                                            Target ID:0
                                                                                                                                                                            Start time:10:28:54
                                                                                                                                                                            Start date:18/04/2024
                                                                                                                                                                            Path:C:\Users\user\Desktop\file.exe
                                                                                                                                                                            Wow64 process (32bit):true
                                                                                                                                                                            Commandline:"C:\Users\user\Desktop\file.exe"
                                                                                                                                                                            Imagebase:0x400000
                                                                                                                                                                            File size:962'560 bytes
                                                                                                                                                                            MD5 hash:265D5B8B9F603F0F5EF62F2C27449607
                                                                                                                                                                            Has elevated privileges:true
                                                                                                                                                                            Has administrator privileges:true
                                                                                                                                                                            Programmed in:C, C++ or other language
                                                                                                                                                                            Yara matches:
                                                                                                                                                                            • Rule: JoeSecurity_RiseProStealer, Description: Yara detected RisePro Stealer, Source: 00000000.00000003.2253726342.0000000007A6D000.00000004.00000020.00020000.00000000.sdmp, Author: Joe Security
                                                                                                                                                                            • Rule: JoeSecurity_RiseProStealer, Description: Yara detected RisePro Stealer, Source: 00000000.00000002.2258287784.0000000007A6D000.00000004.00000020.00020000.00000000.sdmp, Author: Joe Security
                                                                                                                                                                            • Rule: JoeSecurity_CredentialStealer, Description: Yara detected Credential Stealer, Source: 00000000.00000002.2256177341.00000000030B6000.00000004.00000020.00020000.00000000.sdmp, Author: Joe Security
                                                                                                                                                                            • Rule: JoeSecurity_RiseProStealer, Description: Yara detected RisePro Stealer, Source: 00000000.00000002.2256177341.000000000302E000.00000004.00000020.00020000.00000000.sdmp, Author: Joe Security
                                                                                                                                                                            • Rule: Windows_Trojan_RedLineStealer_ed346e4c, Description: unknown, Source: 00000000.00000002.2256109726.0000000002F51000.00000040.00000020.00020000.00000000.sdmp, Author: unknown
                                                                                                                                                                            • Rule: JoeSecurity_RiseProStealer, Description: Yara detected RisePro Stealer, Source: 00000000.00000003.1698876622.0000000004C20000.00000004.00001000.00020000.00000000.sdmp, Author: Joe Security
                                                                                                                                                                            • Rule: JoeSecurity_RiseProStealer, Description: Yara detected RisePro Stealer, Source: 00000000.00000002.2254819923.0000000000400000.00000040.00000001.01000000.00000003.sdmp, Author: Joe Security
                                                                                                                                                                            • Rule: JoeSecurity_RiseProStealer, Description: Yara detected RisePro Stealer, Source: 00000000.00000002.2257395722.0000000004AC0000.00000040.00001000.00020000.00000000.sdmp, Author: Joe Security
                                                                                                                                                                            • Rule: Windows_Trojan_Smokeloader_3687686f, Description: unknown, Source: 00000000.00000002.2257395722.0000000004AC0000.00000040.00001000.00020000.00000000.sdmp, Author: unknown
                                                                                                                                                                            Reputation:low
                                                                                                                                                                            Has exited:true

                                                                                                                                                                            General

                                                                                                                                                                            Target ID:1
                                                                                                                                                                            Start time:10:29:02
                                                                                                                                                                            Start date:18/04/2024
                                                                                                                                                                            Path:C:\Windows\SysWOW64\schtasks.exe
                                                                                                                                                                            Wow64 process (32bit):true
                                                                                                                                                                            Commandline:schtasks /create /f /RU "user" /tr "C:\ProgramData\MPGPH131\MPGPH131.exe" /tn "MPGPH131 HR" /sc HOURLY /rl HIGHEST
                                                                                                                                                                            Imagebase:0xa20000
                                                                                                                                                                            File size:187'904 bytes
                                                                                                                                                                            MD5 hash:48C2FE20575769DE916F48EF0676A965
                                                                                                                                                                            Has elevated privileges:true
                                                                                                                                                                            Has administrator privileges:true
                                                                                                                                                                            Programmed in:C, C++ or other language
                                                                                                                                                                            Reputation:high
                                                                                                                                                                            Has exited:true

                                                                                                                                                                            General

                                                                                                                                                                            Target ID:2
                                                                                                                                                                            Start time:10:29:02
                                                                                                                                                                            Start date:18/04/2024
                                                                                                                                                                            Path:C:\Windows\System32\conhost.exe
                                                                                                                                                                            Wow64 process (32bit):false
                                                                                                                                                                            Commandline:C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                                                                                                                                                                            Imagebase:0x7ff7699e0000
                                                                                                                                                                            File size:862'208 bytes
                                                                                                                                                                            MD5 hash:0D698AF330FD17BEE3BF90011D49251D
                                                                                                                                                                            Has elevated privileges:true
                                                                                                                                                                            Has administrator privileges:true
                                                                                                                                                                            Programmed in:C, C++ or other language
                                                                                                                                                                            Reputation:high
                                                                                                                                                                            Has exited:true

                                                                                                                                                                            General

                                                                                                                                                                            Target ID:3
                                                                                                                                                                            Start time:10:29:02
                                                                                                                                                                            Start date:18/04/2024
                                                                                                                                                                            Path:C:\Windows\SysWOW64\schtasks.exe
                                                                                                                                                                            Wow64 process (32bit):true
                                                                                                                                                                            Commandline:schtasks /create /f /RU "user" /tr "C:\ProgramData\MPGPH131\MPGPH131.exe" /tn "MPGPH131 LG" /sc ONLOGON /rl HIGHEST
                                                                                                                                                                            Imagebase:0xa20000
                                                                                                                                                                            File size:187'904 bytes
                                                                                                                                                                            MD5 hash:48C2FE20575769DE916F48EF0676A965
                                                                                                                                                                            Has elevated privileges:true
                                                                                                                                                                            Has administrator privileges:true
                                                                                                                                                                            Programmed in:C, C++ or other language
                                                                                                                                                                            Reputation:high
                                                                                                                                                                            Has exited:true

                                                                                                                                                                            General

                                                                                                                                                                            Target ID:4
                                                                                                                                                                            Start time:10:29:02
                                                                                                                                                                            Start date:18/04/2024
                                                                                                                                                                            Path:C:\Windows\System32\conhost.exe
                                                                                                                                                                            Wow64 process (32bit):false
                                                                                                                                                                            Commandline:C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                                                                                                                                                                            Imagebase:0x7ff7699e0000
                                                                                                                                                                            File size:862'208 bytes
                                                                                                                                                                            MD5 hash:0D698AF330FD17BEE3BF90011D49251D
                                                                                                                                                                            Has elevated privileges:true
                                                                                                                                                                            Has administrator privileges:true
                                                                                                                                                                            Programmed in:C, C++ or other language
                                                                                                                                                                            Reputation:high
                                                                                                                                                                            Has exited:true

                                                                                                                                                                            General

                                                                                                                                                                            Target ID:7
                                                                                                                                                                            Start time:10:29:02
                                                                                                                                                                            Start date:18/04/2024
                                                                                                                                                                            Path:C:\Windows\SysWOW64\WerFault.exe
                                                                                                                                                                            Wow64 process (32bit):true
                                                                                                                                                                            Commandline:C:\Windows\SysWOW64\WerFault.exe -u -p 7328 -s 784
                                                                                                                                                                            Imagebase:0xdd0000
                                                                                                                                                                            File size:483'680 bytes
                                                                                                                                                                            MD5 hash:C31336C1EFC2CCB44B4326EA793040F2
                                                                                                                                                                            Has elevated privileges:true
                                                                                                                                                                            Has administrator privileges:true
                                                                                                                                                                            Programmed in:C, C++ or other language
                                                                                                                                                                            Reputation:high
                                                                                                                                                                            Has exited:true

                                                                                                                                                                            General

                                                                                                                                                                            Target ID:8
                                                                                                                                                                            Start time:10:29:03
                                                                                                                                                                            Start date:18/04/2024
                                                                                                                                                                            Path:C:\ProgramData\MPGPH131\MPGPH131.exe
                                                                                                                                                                            Wow64 process (32bit):true
                                                                                                                                                                            Commandline:C:\ProgramData\MPGPH131\MPGPH131.exe
                                                                                                                                                                            Imagebase:0x80000
                                                                                                                                                                            File size:962'560 bytes
                                                                                                                                                                            MD5 hash:265D5B8B9F603F0F5EF62F2C27449607
                                                                                                                                                                            Has elevated privileges:true
                                                                                                                                                                            Has administrator privileges:true
                                                                                                                                                                            Programmed in:C, C++ or other language
                                                                                                                                                                            Yara matches:
                                                                                                                                                                            • Rule: JoeSecurity_RiseProStealer, Description: Yara detected RisePro Stealer, Source: 00000008.00000003.2345569703.0000000004A60000.00000004.00001000.00020000.00000000.sdmp, Author: Joe Security
                                                                                                                                                                            • Rule: JoeSecurity_RiseProStealer, Description: Yara detected RisePro Stealer, Source: 00000008.00000002.2555613641.0000000004900000.00000040.00001000.00020000.00000000.sdmp, Author: Joe Security
                                                                                                                                                                            • Rule: Windows_Trojan_Smokeloader_3687686f, Description: unknown, Source: 00000008.00000002.2555613641.0000000004900000.00000040.00001000.00020000.00000000.sdmp, Author: unknown
                                                                                                                                                                            • Rule: Windows_Trojan_RedLineStealer_ed346e4c, Description: unknown, Source: 00000008.00000002.2554245395.0000000002F65000.00000040.00000020.00020000.00000000.sdmp, Author: unknown
                                                                                                                                                                            • Rule: JoeSecurity_RiseProStealer, Description: Yara detected RisePro Stealer, Source: 00000008.00000002.2552258510.0000000000400000.00000040.00000001.01000000.00000005.sdmp, Author: Joe Security
                                                                                                                                                                            Antivirus matches:
                                                                                                                                                                            • Detection: 100%, Avira
                                                                                                                                                                            • Detection: 100%, Joe Sandbox ML
                                                                                                                                                                            • Detection: 47%, ReversingLabs
                                                                                                                                                                            • Detection: 48%, Virustotal, Browse
                                                                                                                                                                            Reputation:low
                                                                                                                                                                            Has exited:true

                                                                                                                                                                            General

                                                                                                                                                                            Target ID:9
                                                                                                                                                                            Start time:10:29:03
                                                                                                                                                                            Start date:18/04/2024
                                                                                                                                                                            Path:C:\ProgramData\MPGPH131\MPGPH131.exe
                                                                                                                                                                            Wow64 process (32bit):true
                                                                                                                                                                            Commandline:C:\ProgramData\MPGPH131\MPGPH131.exe
                                                                                                                                                                            Imagebase:0x400000
                                                                                                                                                                            File size:962'560 bytes
                                                                                                                                                                            MD5 hash:265D5B8B9F603F0F5EF62F2C27449607
                                                                                                                                                                            Has elevated privileges:true
                                                                                                                                                                            Has administrator privileges:true
                                                                                                                                                                            Programmed in:C, C++ or other language
                                                                                                                                                                            Yara matches:
                                                                                                                                                                            • Rule: Windows_Trojan_RedLineStealer_ed346e4c, Description: unknown, Source: 00000009.00000002.2555380044.0000000002FCE000.00000040.00000020.00020000.00000000.sdmp, Author: unknown
                                                                                                                                                                            • Rule: JoeSecurity_RiseProStealer, Description: Yara detected RisePro Stealer, Source: 00000009.00000003.2355371299.0000000004A10000.00000004.00001000.00020000.00000000.sdmp, Author: Joe Security
                                                                                                                                                                            • Rule: JoeSecurity_RiseProStealer, Description: Yara detected RisePro Stealer, Source: 00000009.00000002.2552333219.0000000000400000.00000040.00000001.01000000.00000005.sdmp, Author: Joe Security
                                                                                                                                                                            • Rule: JoeSecurity_RiseProStealer, Description: Yara detected RisePro Stealer, Source: 00000009.00000002.2555618433.00000000048B0000.00000040.00001000.00020000.00000000.sdmp, Author: Joe Security
                                                                                                                                                                            • Rule: Windows_Trojan_Smokeloader_3687686f, Description: unknown, Source: 00000009.00000002.2555618433.00000000048B0000.00000040.00001000.00020000.00000000.sdmp, Author: unknown
                                                                                                                                                                            Reputation:low
                                                                                                                                                                            Has exited:true

                                                                                                                                                                            General

                                                                                                                                                                            Target ID:11
                                                                                                                                                                            Start time:10:29:11
                                                                                                                                                                            Start date:18/04/2024
                                                                                                                                                                            Path:C:\Windows\SysWOW64\WerFault.exe
                                                                                                                                                                            Wow64 process (32bit):true
                                                                                                                                                                            Commandline:C:\Windows\SysWOW64\WerFault.exe -u -p 7328 -s 960
                                                                                                                                                                            Imagebase:0xdd0000
                                                                                                                                                                            File size:483'680 bytes
                                                                                                                                                                            MD5 hash:C31336C1EFC2CCB44B4326EA793040F2
                                                                                                                                                                            Has elevated privileges:true
                                                                                                                                                                            Has administrator privileges:true
                                                                                                                                                                            Programmed in:C, C++ or other language
                                                                                                                                                                            Reputation:high
                                                                                                                                                                            Has exited:true

                                                                                                                                                                            General

                                                                                                                                                                            Target ID:14
                                                                                                                                                                            Start time:10:29:13
                                                                                                                                                                            Start date:18/04/2024
                                                                                                                                                                            Path:C:\Windows\SysWOW64\WerFault.exe
                                                                                                                                                                            Wow64 process (32bit):true
                                                                                                                                                                            Commandline:C:\Windows\SysWOW64\WerFault.exe -u -p 7328 -s 1008
                                                                                                                                                                            Imagebase:0xdd0000
                                                                                                                                                                            File size:483'680 bytes
                                                                                                                                                                            MD5 hash:C31336C1EFC2CCB44B4326EA793040F2
                                                                                                                                                                            Has elevated privileges:true
                                                                                                                                                                            Has administrator privileges:true
                                                                                                                                                                            Programmed in:C, C++ or other language
                                                                                                                                                                            Reputation:high
                                                                                                                                                                            Has exited:true

                                                                                                                                                                            General

                                                                                                                                                                            Target ID:16
                                                                                                                                                                            Start time:10:29:14
                                                                                                                                                                            Start date:18/04/2024
                                                                                                                                                                            Path:C:\Windows\SysWOW64\WerFault.exe
                                                                                                                                                                            Wow64 process (32bit):true
                                                                                                                                                                            Commandline:C:\Windows\SysWOW64\WerFault.exe -u -p 7328 -s 996
                                                                                                                                                                            Imagebase:0xdd0000
                                                                                                                                                                            File size:483'680 bytes
                                                                                                                                                                            MD5 hash:C31336C1EFC2CCB44B4326EA793040F2
                                                                                                                                                                            Has elevated privileges:true
                                                                                                                                                                            Has administrator privileges:true
                                                                                                                                                                            Programmed in:C, C++ or other language
                                                                                                                                                                            Reputation:high
                                                                                                                                                                            Has exited:true

                                                                                                                                                                            General

                                                                                                                                                                            Target ID:17
                                                                                                                                                                            Start time:10:29:14
                                                                                                                                                                            Start date:18/04/2024
                                                                                                                                                                            Path:C:\Users\user\AppData\Local\RageMP131\RageMP131.exe
                                                                                                                                                                            Wow64 process (32bit):true
                                                                                                                                                                            Commandline:"C:\Users\user\AppData\Local\RageMP131\RageMP131.exe"
                                                                                                                                                                            Imagebase:0x400000
                                                                                                                                                                            File size:962'560 bytes
                                                                                                                                                                            MD5 hash:265D5B8B9F603F0F5EF62F2C27449607
                                                                                                                                                                            Has elevated privileges:false
                                                                                                                                                                            Has administrator privileges:false
                                                                                                                                                                            Programmed in:C, C++ or other language
                                                                                                                                                                            Yara matches:
                                                                                                                                                                            • Rule: JoeSecurity_CredentialStealer, Description: Yara detected Credential Stealer, Source: 00000011.00000003.2305959394.0000000003058000.00000004.00000020.00020000.00000000.sdmp, Author: Joe Security
                                                                                                                                                                            • Rule: JoeSecurity_RiseProStealer, Description: Yara detected RisePro Stealer, Source: 00000011.00000003.2307637364.0000000007A99000.00000004.00000020.00020000.00000000.sdmp, Author: Joe Security
                                                                                                                                                                            • Rule: Windows_Trojan_RedLineStealer_ed346e4c, Description: unknown, Source: 00000011.00000002.2350759257.0000000004A1C000.00000040.00000020.00020000.00000000.sdmp, Author: unknown
                                                                                                                                                                            • Rule: JoeSecurity_CredentialStealer, Description: Yara detected Credential Stealer, Source: 00000011.00000002.2349974931.0000000003002000.00000004.00000020.00020000.00000000.sdmp, Author: Joe Security
                                                                                                                                                                            • Rule: JoeSecurity_CredentialStealer, Description: Yara detected Credential Stealer, Source: 00000011.00000003.2343081719.0000000003065000.00000004.00000020.00020000.00000000.sdmp, Author: Joe Security
                                                                                                                                                                            • Rule: JoeSecurity_RiseProStealer, Description: Yara detected RisePro Stealer, Source: 00000011.00000002.2352946266.0000000007A40000.00000004.00000020.00020000.00000000.sdmp, Author: Joe Security
                                                                                                                                                                            • Rule: JoeSecurity_RiseProStealer, Description: Yara detected RisePro Stealer, Source: 00000011.00000002.2351210254.0000000004AD0000.00000040.00001000.00020000.00000000.sdmp, Author: Joe Security
                                                                                                                                                                            • Rule: Windows_Trojan_Smokeloader_3687686f, Description: unknown, Source: 00000011.00000002.2351210254.0000000004AD0000.00000040.00001000.00020000.00000000.sdmp, Author: unknown
                                                                                                                                                                            • Rule: JoeSecurity_RiseProStealer, Description: Yara detected RisePro Stealer, Source: 00000011.00000003.1935064684.0000000004C30000.00000004.00001000.00020000.00000000.sdmp, Author: Joe Security
                                                                                                                                                                            • Rule: JoeSecurity_CredentialStealer, Description: Yara detected Credential Stealer, Source: 00000011.00000002.2350560658.0000000003069000.00000004.00000020.00020000.00000000.sdmp, Author: Joe Security
                                                                                                                                                                            • Rule: JoeSecurity_CredentialStealer, Description: Yara detected Credential Stealer, Source: 00000011.00000003.2307237063.0000000003058000.00000004.00000020.00020000.00000000.sdmp, Author: Joe Security
                                                                                                                                                                            • Rule: JoeSecurity_CredentialStealer, Description: Yara detected Credential Stealer, Source: 00000011.00000003.2307237063.0000000003002000.00000004.00000020.00020000.00000000.sdmp, Author: Joe Security
                                                                                                                                                                            • Rule: JoeSecurity_RiseProStealer, Description: Yara detected RisePro Stealer, Source: 00000011.00000002.2348884384.0000000002F7E000.00000004.00000020.00020000.00000000.sdmp, Author: Joe Security
                                                                                                                                                                            • Rule: JoeSecurity_RiseProStealer, Description: Yara detected RisePro Stealer, Source: 00000011.00000002.2345301493.0000000000400000.00000040.00000001.01000000.00000007.sdmp, Author: Joe Security
                                                                                                                                                                            Antivirus matches:
                                                                                                                                                                            • Detection: 47%, ReversingLabs
                                                                                                                                                                            • Detection: 48%, Virustotal, Browse
                                                                                                                                                                            Reputation:low
                                                                                                                                                                            Has exited:true

                                                                                                                                                                            General

                                                                                                                                                                            Target ID:19
                                                                                                                                                                            Start time:10:29:16
                                                                                                                                                                            Start date:18/04/2024
                                                                                                                                                                            Path:C:\Windows\SysWOW64\WerFault.exe
                                                                                                                                                                            Wow64 process (32bit):true
                                                                                                                                                                            Commandline:C:\Windows\SysWOW64\WerFault.exe -u -p 7328 -s 1020
                                                                                                                                                                            Imagebase:0xdd0000
                                                                                                                                                                            File size:483'680 bytes
                                                                                                                                                                            MD5 hash:C31336C1EFC2CCB44B4326EA793040F2
                                                                                                                                                                            Has elevated privileges:true
                                                                                                                                                                            Has administrator privileges:true
                                                                                                                                                                            Programmed in:C, C++ or other language
                                                                                                                                                                            Reputation:high
                                                                                                                                                                            Has exited:true

                                                                                                                                                                            General

                                                                                                                                                                            Target ID:21
                                                                                                                                                                            Start time:10:29:18
                                                                                                                                                                            Start date:18/04/2024
                                                                                                                                                                            Path:C:\Windows\SysWOW64\WerFault.exe
                                                                                                                                                                            Wow64 process (32bit):true
                                                                                                                                                                            Commandline:C:\Windows\SysWOW64\WerFault.exe -u -p 7328 -s 1416
                                                                                                                                                                            Imagebase:0xdd0000
                                                                                                                                                                            File size:483'680 bytes
                                                                                                                                                                            MD5 hash:C31336C1EFC2CCB44B4326EA793040F2
                                                                                                                                                                            Has elevated privileges:true
                                                                                                                                                                            Has administrator privileges:true
                                                                                                                                                                            Programmed in:C, C++ or other language
                                                                                                                                                                            Reputation:high
                                                                                                                                                                            Has exited:true

                                                                                                                                                                            General

                                                                                                                                                                            Target ID:25
                                                                                                                                                                            Start time:10:29:21
                                                                                                                                                                            Start date:18/04/2024
                                                                                                                                                                            Path:C:\Windows\SysWOW64\WerFault.exe
                                                                                                                                                                            Wow64 process (32bit):true
                                                                                                                                                                            Commandline:C:\Windows\SysWOW64\WerFault.exe -u -p 7328 -s 1828
                                                                                                                                                                            Imagebase:0xdd0000
                                                                                                                                                                            File size:483'680 bytes
                                                                                                                                                                            MD5 hash:C31336C1EFC2CCB44B4326EA793040F2
                                                                                                                                                                            Has elevated privileges:true
                                                                                                                                                                            Has administrator privileges:true
                                                                                                                                                                            Programmed in:C, C++ or other language
                                                                                                                                                                            Reputation:high
                                                                                                                                                                            Has exited:true

                                                                                                                                                                            General

                                                                                                                                                                            Target ID:26
                                                                                                                                                                            Start time:10:29:24
                                                                                                                                                                            Start date:18/04/2024
                                                                                                                                                                            Path:C:\Users\user\AppData\Local\RageMP131\RageMP131.exe
                                                                                                                                                                            Wow64 process (32bit):true
                                                                                                                                                                            Commandline:"C:\Users\user\AppData\Local\RageMP131\RageMP131.exe"
                                                                                                                                                                            Imagebase:0x400000
                                                                                                                                                                            File size:962'560 bytes
                                                                                                                                                                            MD5 hash:265D5B8B9F603F0F5EF62F2C27449607
                                                                                                                                                                            Has elevated privileges:false
                                                                                                                                                                            Has administrator privileges:false
                                                                                                                                                                            Programmed in:C, C++ or other language
                                                                                                                                                                            Yara matches:
                                                                                                                                                                            • Rule: JoeSecurity_RiseProStealer, Description: Yara detected RisePro Stealer, Source: 0000001A.00000002.2603079344.0000000002F47000.00000004.00000020.00020000.00000000.sdmp, Author: Joe Security
                                                                                                                                                                            • Rule: JoeSecurity_RiseProStealer, Description: Yara detected RisePro Stealer, Source: 0000001A.00000002.2604404588.0000000007A40000.00000004.00000020.00020000.00000000.sdmp, Author: Joe Security
                                                                                                                                                                            • Rule: Windows_Trojan_RedLineStealer_ed346e4c, Description: unknown, Source: 0000001A.00000002.2603730581.0000000004A22000.00000040.00000020.00020000.00000000.sdmp, Author: unknown
                                                                                                                                                                            • Rule: JoeSecurity_RiseProStealer, Description: Yara detected RisePro Stealer, Source: 0000001A.00000002.2601441093.0000000000400000.00000040.00000001.01000000.00000007.sdmp, Author: Joe Security
                                                                                                                                                                            • Rule: JoeSecurity_RiseProStealer, Description: Yara detected RisePro Stealer, Source: 0000001A.00000003.2050121383.0000000004C40000.00000004.00001000.00020000.00000000.sdmp, Author: Joe Security
                                                                                                                                                                            • Rule: JoeSecurity_RiseProStealer, Description: Yara detected RisePro Stealer, Source: 0000001A.00000002.2603802110.0000000004AE0000.00000040.00001000.00020000.00000000.sdmp, Author: Joe Security
                                                                                                                                                                            • Rule: Windows_Trojan_Smokeloader_3687686f, Description: unknown, Source: 0000001A.00000002.2603802110.0000000004AE0000.00000040.00001000.00020000.00000000.sdmp, Author: unknown
                                                                                                                                                                            Reputation:low
                                                                                                                                                                            Has exited:true

                                                                                                                                                                            General

                                                                                                                                                                            Target ID:28
                                                                                                                                                                            Start time:10:29:26
                                                                                                                                                                            Start date:18/04/2024
                                                                                                                                                                            Path:C:\Windows\SysWOW64\WerFault.exe
                                                                                                                                                                            Wow64 process (32bit):true
                                                                                                                                                                            Commandline:C:\Windows\SysWOW64\WerFault.exe -u -p 7328 -s 1848
                                                                                                                                                                            Imagebase:0xdd0000
                                                                                                                                                                            File size:483'680 bytes
                                                                                                                                                                            MD5 hash:C31336C1EFC2CCB44B4326EA793040F2
                                                                                                                                                                            Has elevated privileges:true
                                                                                                                                                                            Has administrator privileges:true
                                                                                                                                                                            Programmed in:C, C++ or other language
                                                                                                                                                                            Reputation:high
                                                                                                                                                                            Has exited:true

                                                                                                                                                                            General

                                                                                                                                                                            Target ID:30
                                                                                                                                                                            Start time:10:29:28
                                                                                                                                                                            Start date:18/04/2024
                                                                                                                                                                            Path:C:\Windows\SysWOW64\WerFault.exe
                                                                                                                                                                            Wow64 process (32bit):true
                                                                                                                                                                            Commandline:C:\Windows\SysWOW64\WerFault.exe -u -p 7988 -s 820
                                                                                                                                                                            Imagebase:0xdd0000
                                                                                                                                                                            File size:483'680 bytes
                                                                                                                                                                            MD5 hash:C31336C1EFC2CCB44B4326EA793040F2
                                                                                                                                                                            Has elevated privileges:false
                                                                                                                                                                            Has administrator privileges:false
                                                                                                                                                                            Programmed in:C, C++ or other language
                                                                                                                                                                            Has exited:true

                                                                                                                                                                            General

                                                                                                                                                                            Target ID:32
                                                                                                                                                                            Start time:10:29:29
                                                                                                                                                                            Start date:18/04/2024
                                                                                                                                                                            Path:C:\Windows\SysWOW64\WerFault.exe
                                                                                                                                                                            Wow64 process (32bit):true
                                                                                                                                                                            Commandline:C:\Windows\SysWOW64\WerFault.exe -u -p 7328 -s 1808
                                                                                                                                                                            Imagebase:0xdd0000
                                                                                                                                                                            File size:483'680 bytes
                                                                                                                                                                            MD5 hash:C31336C1EFC2CCB44B4326EA793040F2
                                                                                                                                                                            Has elevated privileges:true
                                                                                                                                                                            Has administrator privileges:true
                                                                                                                                                                            Programmed in:C, C++ or other language
                                                                                                                                                                            Has exited:true

                                                                                                                                                                            General

                                                                                                                                                                            Target ID:34
                                                                                                                                                                            Start time:10:29:32
                                                                                                                                                                            Start date:18/04/2024
                                                                                                                                                                            Path:C:\Windows\SysWOW64\WerFault.exe
                                                                                                                                                                            Wow64 process (32bit):true
                                                                                                                                                                            Commandline:C:\Windows\SysWOW64\WerFault.exe -u -p 7328 -s 1940
                                                                                                                                                                            Imagebase:0xdd0000
                                                                                                                                                                            File size:483'680 bytes
                                                                                                                                                                            MD5 hash:C31336C1EFC2CCB44B4326EA793040F2
                                                                                                                                                                            Has elevated privileges:true
                                                                                                                                                                            Has administrator privileges:true
                                                                                                                                                                            Programmed in:C, C++ or other language
                                                                                                                                                                            Has exited:true

                                                                                                                                                                            General

                                                                                                                                                                            Target ID:36
                                                                                                                                                                            Start time:10:29:35
                                                                                                                                                                            Start date:18/04/2024
                                                                                                                                                                            Path:C:\Windows\SysWOW64\WerFault.exe
                                                                                                                                                                            Wow64 process (32bit):true
                                                                                                                                                                            Commandline:C:\Windows\SysWOW64\WerFault.exe -u -p 7988 -s 940
                                                                                                                                                                            Imagebase:0xdd0000
                                                                                                                                                                            File size:483'680 bytes
                                                                                                                                                                            MD5 hash:C31336C1EFC2CCB44B4326EA793040F2
                                                                                                                                                                            Has elevated privileges:false
                                                                                                                                                                            Has administrator privileges:false
                                                                                                                                                                            Programmed in:C, C++ or other language
                                                                                                                                                                            Has exited:true

                                                                                                                                                                            General

                                                                                                                                                                            Target ID:38
                                                                                                                                                                            Start time:10:29:35
                                                                                                                                                                            Start date:18/04/2024
                                                                                                                                                                            Path:C:\Windows\SysWOW64\WerFault.exe
                                                                                                                                                                            Wow64 process (32bit):true
                                                                                                                                                                            Commandline:C:\Windows\SysWOW64\WerFault.exe -u -p 7328 -s 1948
                                                                                                                                                                            Imagebase:0xdd0000
                                                                                                                                                                            File size:483'680 bytes
                                                                                                                                                                            MD5 hash:C31336C1EFC2CCB44B4326EA793040F2
                                                                                                                                                                            Has elevated privileges:true
                                                                                                                                                                            Has administrator privileges:true
                                                                                                                                                                            Programmed in:C, C++ or other language
                                                                                                                                                                            Has exited:true

                                                                                                                                                                            General

                                                                                                                                                                            Target ID:40
                                                                                                                                                                            Start time:10:29:36
                                                                                                                                                                            Start date:18/04/2024
                                                                                                                                                                            Path:C:\Windows\SysWOW64\WerFault.exe
                                                                                                                                                                            Wow64 process (32bit):true
                                                                                                                                                                            Commandline:C:\Windows\SysWOW64\WerFault.exe -u -p 7988 -s 952
                                                                                                                                                                            Imagebase:0xdd0000
                                                                                                                                                                            File size:483'680 bytes
                                                                                                                                                                            MD5 hash:C31336C1EFC2CCB44B4326EA793040F2
                                                                                                                                                                            Has elevated privileges:false
                                                                                                                                                                            Has administrator privileges:false
                                                                                                                                                                            Programmed in:C, C++ or other language
                                                                                                                                                                            Has exited:true

                                                                                                                                                                            Disassembly

                                                                                                                                                                            Reset < >

                                                                                                                                                                              Execution Graph

                                                                                                                                                                              Execution Coverage:19%
                                                                                                                                                                              Dynamic/Decrypted Code Coverage:0%
                                                                                                                                                                              Signature Coverage:32.5%
                                                                                                                                                                              Total number of Nodes:2000
                                                                                                                                                                              Total number of Limit Nodes:93
                                                                                                                                                                              execution_graph 64455 4ec94e 64458 4ec782 64455->64458 64460 4ec7af 64458->64460 64466 4ec7c0 64458->64466 64460->64466 64478 4ec863 GetModuleHandleExW 64460->64478 64461 4ec7f8 64462 4ec7fe 64461->64462 64471 4ec819 64461->64471 64467 4ec613 64466->64467 64468 4ec61f 64467->64468 64484 4ec69a 64468->64484 64470 4ec636 __InternalCxxFrameHandler 64470->64461 64507 4ec84a 64471->64507 64473 4ec823 64474 4ec837 64473->64474 64475 4ec827 GetCurrentProcess TerminateProcess 64473->64475 64476 4ec863 __InternalCxxFrameHandler 3 API calls 64474->64476 64475->64474 64477 4ec83f ExitProcess 64476->64477 64479 4ec8a2 GetProcAddress 64478->64479 64480 4ec8c3 64478->64480 64479->64480 64483 4ec8b6 64479->64483 64481 4ec8c9 FreeLibrary 64480->64481 64482 4ec8d2 64480->64482 64481->64482 64482->64466 64483->64480 64485 4ec6a6 __InternalCxxFrameHandler 64484->64485 64487 4ec70a 64485->64487 64488 4ef889 64485->64488 64487->64470 64489 4ef895 __EH_prolog3 64488->64489 64492 4ef5e1 64489->64492 64491 4ef8bc __InternalCxxFrameHandler 64491->64487 64493 4ef5ed 64492->64493 64496 4ef799 64493->64496 64495 4ef608 64495->64491 64497 4ef7b8 64496->64497 64498 4ef7b0 64496->64498 64497->64498 64500 4f4253 64497->64500 64498->64495 64501 4f425e RtlFreeHeap 64500->64501 64505 4f4288 64500->64505 64502 4f4273 GetLastError 64501->64502 64501->64505 64503 4f4280 __dosmaperr 64502->64503 64506 4ea92f 11 API calls __dosmaperr 64503->64506 64505->64498 64506->64505 64510 4f83d6 5 API calls __InternalCxxFrameHandler 64507->64510 64509 4ec84f __InternalCxxFrameHandler 64509->64473 64510->64509 64511 4a5c88 64512 4a5c98 64511->64512 64517 4a15c6 64512->64517 64521 499230 64512->64521 64514 4a5cb7 64514->64517 64534 499380 64514->64534 64520 4a7806 64517->64520 64538 49ccf0 11 API calls __fread_nolock 64517->64538 64539 49ce20 15 API calls 64517->64539 64540 49d100 15 API calls 64517->64540 64522 499248 64521->64522 64523 49925e 64521->64523 64524 49924c 64522->64524 64546 48db50 64522->64546 64525 4992c5 64523->64525 64531 499275 64523->64531 64524->64514 64541 4982c0 64525->64541 64528 4992dc 64528->64514 64529 4992b8 64529->64528 64551 4991c0 64529->64551 64531->64529 64550 496a10 11 API calls 64531->64550 64536 499390 64534->64536 64535 49943f 64535->64517 64536->64535 64537 4982c0 15 API calls 64536->64537 64537->64536 64538->64517 64539->64517 64540->64517 64555 496a70 64541->64555 64543 4982dd 64545 498334 64543->64545 64569 496a10 11 API calls 64543->64569 64545->64529 64547 48dba6 64546->64547 64548 48db5b 64546->64548 64547->64523 64548->64547 64579 4eaec6 64548->64579 64550->64531 64552 4991e3 64551->64552 64553 4991d7 64551->64553 64552->64514 64554 4982c0 15 API calls 64553->64554 64554->64552 64556 496a88 64555->64556 64560 496a92 64555->64560 64556->64543 64558 496c7c 64558->64543 64559 496b7a 64567 496b3d __fread_nolock 64559->64567 64578 496a10 11 API calls 64559->64578 64560->64559 64561 496ba2 64560->64561 64564 496b1e 64560->64564 64560->64567 64561->64559 64563 496bb1 64561->64563 64562 496bcf 64577 494810 11 API calls 64562->64577 64563->64562 64563->64567 64576 492490 11 API calls __fread_nolock 64563->64576 64564->64567 64570 491300 SetFilePointer 64564->64570 64567->64543 64569->64545 64571 49132a GetLastError 64570->64571 64572 491341 ReadFile 64570->64572 64571->64572 64575 491334 64571->64575 64573 49135c GetLastError 64572->64573 64574 491370 __fread_nolock 64572->64574 64573->64559 64574->64559 64575->64559 64576->64562 64577->64567 64578->64558 64580 4f4253 __freea 11 API calls 64579->64580 64581 4eaede 64580->64581 64581->64547 64582 4f5bcc 64583 4f5bd9 64582->64583 64585 4f5bf1 64582->64585 64614 4ea92f 11 API calls __dosmaperr 64583->64614 64586 4f5c50 64585->64586 64589 4f5bde 64585->64589 64615 4f68c4 11 API calls __freea 64585->64615 64590 4f19ab 64586->64590 64591 4f19b7 64590->64591 64592 4f19bf 64591->64592 64596 4f19da 64591->64596 64668 4ea91c 11 API calls __dosmaperr 64592->64668 64594 4f19c4 64669 4ea92f 11 API calls __dosmaperr 64594->64669 64597 4f19f1 64596->64597 64599 4f1a2c 64596->64599 64670 4ea91c 11 API calls __dosmaperr 64597->64670 64598 4f19cc 64598->64589 64601 4f1a4a 64599->64601 64602 4f1a35 64599->64602 64608 4f1a6f 64601->64608 64609 4f1a84 64601->64609 64672 4ea91c 11 API calls __dosmaperr 64602->64672 64603 4f19f6 64671 4ea92f 11 API calls __dosmaperr 64603->64671 64606 4f1a3a 64673 4ea92f 11 API calls __dosmaperr 64606->64673 64674 4ea92f 11 API calls __dosmaperr 64608->64674 64616 4f1ac4 64609->64616 64612 4f1a74 64675 4ea91c 11 API calls __dosmaperr 64612->64675 64614->64589 64615->64586 64617 4f1aee 64616->64617 64618 4f1ad6 64616->64618 64620 4f1e30 64617->64620 64625 4f1b31 64617->64625 64683 4ea91c 11 API calls __dosmaperr 64618->64683 64700 4ea91c 11 API calls __dosmaperr 64620->64700 64621 4f1adb 64684 4ea92f 11 API calls __dosmaperr 64621->64684 64624 4f1e35 64701 4ea92f 11 API calls __dosmaperr 64624->64701 64627 4f1b3c 64625->64627 64629 4f1ae3 64625->64629 64632 4f1b6c 64625->64632 64685 4ea91c 11 API calls __dosmaperr 64627->64685 64629->64598 64630 4f1b41 64686 4ea92f 11 API calls __dosmaperr 64630->64686 64633 4f1b85 64632->64633 64634 4f1b92 64632->64634 64635 4f1bc0 64632->64635 64633->64634 64657 4f1bae 64633->64657 64687 4ea91c 11 API calls __dosmaperr 64634->64687 64689 4f42cd 64635->64689 64638 4f1b97 64688 4ea92f 11 API calls __dosmaperr 64638->64688 64642 4f1d0c 64644 4f1d80 64642->64644 64646 4f1d25 GetConsoleMode 64642->64646 64643 4f4253 __freea 11 API calls 64645 4f1bda 64643->64645 64648 4f1d84 ReadFile 64644->64648 64647 4f4253 __freea 11 API calls 64645->64647 64646->64644 64651 4f1d36 64646->64651 64652 4f1be1 64647->64652 64649 4f1d9c 64648->64649 64650 4f1df8 GetLastError 64648->64650 64649->64650 64666 4f1b9e 64649->64666 64653 4f1d5c 64650->64653 64654 4f1e05 64650->64654 64651->64648 64655 4f1d3c ReadConsoleW 64651->64655 64656 4f1beb 64652->64656 64652->64657 64653->64666 64697 4ea8d5 11 API calls __dosmaperr 64653->64697 64698 4ea92f 11 API calls __dosmaperr 64654->64698 64659 4f1d56 GetLastError 64655->64659 64655->64666 64695 4ea92f 11 API calls __dosmaperr 64656->64695 64676 4fce22 64657->64676 64659->64653 64660 4f4253 __freea 11 API calls 64660->64629 64662 4f1e0a 64699 4ea91c 11 API calls __dosmaperr 64662->64699 64664 4f1bf0 64696 4ea91c 11 API calls __dosmaperr 64664->64696 64666->64660 64668->64594 64669->64598 64670->64603 64671->64598 64672->64606 64673->64598 64674->64612 64675->64598 64677 4fce2f 64676->64677 64678 4fce3c 64676->64678 64702 4ea92f 11 API calls __dosmaperr 64677->64702 64681 4fce48 64678->64681 64703 4ea92f 11 API calls __dosmaperr 64678->64703 64681->64642 64682 4fce34 64682->64642 64683->64621 64684->64629 64685->64630 64686->64629 64687->64638 64688->64666 64690 4f430b 64689->64690 64691 4f42db _strftime 64689->64691 64704 4ea92f 11 API calls __dosmaperr 64690->64704 64691->64690 64693 4f42f6 RtlAllocateHeap 64691->64693 64693->64691 64694 4f1bd1 64693->64694 64694->64643 64695->64664 64696->64666 64697->64666 64698->64662 64699->64666 64700->64624 64701->64629 64702->64682 64703->64682 64704->64694 64705 4a5d4f 64706 4a7806 64705->64706 64707 4a5d60 64705->64707 64710 4a15c6 64707->64710 64713 499a00 64707->64713 64710->64706 64730 49ccf0 11 API calls __fread_nolock 64710->64730 64731 49ce20 15 API calls 64710->64731 64732 49d100 15 API calls 64710->64732 64714 499a14 64713->64714 64715 499a27 64714->64715 64716 499a7e 64714->64716 64717 499b54 64714->64717 64715->64710 64718 499a83 64716->64718 64723 499ad0 64716->64723 64717->64715 64720 499380 15 API calls 64717->64720 64719 4991c0 15 API calls 64718->64719 64722 499ab0 64719->64722 64720->64715 64721 499b41 64721->64710 64722->64715 64725 499380 15 API calls 64722->64725 64723->64721 64724 499b21 64723->64724 64733 496a10 11 API calls 64723->64733 64724->64715 64726 499a00 15 API calls 64724->64726 64727 499abf 64725->64727 64728 499b3a 64726->64728 64727->64710 64728->64710 64730->64710 64731->64710 64732->64710 64733->64723 64734 4a504c 64735 4a5095 64734->64735 64736 4a506c 64734->64736 64738 499540 64736->64738 64739 49955a 64738->64739 64740 499230 15 API calls 64739->64740 64745 49959f 64739->64745 64743 499592 64740->64743 64741 4a0470 15 API calls 64741->64743 64743->64741 64744 4982c0 15 API calls 64743->64744 64743->64745 64746 498d40 15 API calls 2 library calls 64743->64746 64744->64743 64745->64735 64746->64743 64747 41ff09 64811 4655d0 64747->64811 64749 420253 64756 420327 64749->64756 64868 473140 64749->64868 64751 41ff5c 64758 41ffcc 64751->64758 64946 402400 ___std_exception_copy RaiseException 64751->64946 64753 4222aa 64947 402400 ___std_exception_copy RaiseException 64753->64947 64755 4222af 64948 4029f0 64755->64948 64756->64751 64820 40b110 64756->64820 64760 4222c6 64952 4de42b 64760->64952 64762 422304 64765 4029f0 4 API calls 64762->64765 64763 420404 64764 40b110 31 API calls 64763->64764 64768 420479 64763->64768 64764->64768 64770 42231b 64765->64770 64766 41ff23 64766->64749 64766->64751 64767 4655d0 4 API calls 64766->64767 64767->64766 64768->64753 64826 40ab40 64768->64826 64771 4de42b Concurrency::cancel_current_task RaiseException 64770->64771 64773 422359 64771->64773 64772 420578 64809 420850 CatchIt 64772->64809 64842 46a630 64772->64842 64775 420613 64883 46a190 64775->64883 64778 420651 64779 46a190 4 API calls 64778->64779 64794 4207b7 64778->64794 64780 420691 64779->64780 64782 46a190 4 API calls 64780->64782 64781 40b110 31 API calls 64781->64809 64783 4206d1 64782->64783 64784 46a190 4 API calls 64783->64784 64783->64794 64785 420711 64784->64785 64786 46a190 4 API calls 64785->64786 64792 40ab40 47 API calls 64792->64809 64908 466ee0 64794->64908 64795 46a630 39 API calls 64795->64809 64796 466ee0 ___std_exception_copy RaiseException 64796->64809 64797 46a190 ___std_exception_copy ___std_exception_copy ___std_exception_copy RaiseException 64797->64809 64798 46a2d0 4 API calls 64798->64809 64802 4a0800 19 API calls 64802->64809 64804 402f50 ___std_exception_copy ___std_exception_copy RaiseException 64804->64809 64806 402d00 ___std_exception_copy ___std_exception_copy ___std_exception_copy RaiseException 64806->64809 64808 4655d0 ___std_exception_copy ___std_exception_copy ___std_exception_copy RaiseException 64808->64809 64809->64751 64809->64755 64809->64758 64809->64762 64809->64781 64809->64792 64809->64795 64809->64796 64809->64797 64809->64798 64809->64802 64809->64804 64809->64806 64809->64808 64848 4c3160 64809->64848 64855 4144e0 64809->64855 64924 402600 ___std_exception_copy ___std_exception_copy ___std_exception_copy RaiseException __fread_nolock 64809->64924 64925 4a0d70 64809->64925 64929 46aae0 ___std_exception_copy RaiseException 64809->64929 64930 4dc8a2 64809->64930 64935 462610 64809->64935 64812 4655f8 64811->64812 64813 46566c 64812->64813 64817 465602 64812->64817 64966 402400 ___std_exception_copy RaiseException 64813->64966 64814 465607 64814->64766 64817->64814 64955 402f50 64817->64955 64819 46564a CatchIt 64819->64766 64821 40b140 64820->64821 64821->64821 64968 4e2a50 64821->64968 64825 40b174 64825->64763 64827 40abb0 64826->64827 64827->64827 64828 4e2a50 12 API calls 64827->64828 64829 40abd6 64828->64829 64832 40ac49 64829->64832 65062 4e6826 64829->65062 64831 40abec 65066 4e25db 64831->65066 64832->64772 64834 40abf2 64835 4e6826 31 API calls 64834->64835 64836 40ac00 64835->64836 64838 40ac0a 64836->64838 65070 4680a0 64836->65070 65078 4eb2cf 64838->65078 64841 4e62d8 31 API calls 64841->64832 64843 46a679 64842->64843 65155 470d80 64843->65155 64847 46a6ef 64847->64775 64849 4c3289 64848->64849 64851 4c3185 64848->64851 64849->64809 64851->64849 65340 4c2ba0 64851->65340 64852 4c326a 64852->64809 64853 4c2ba0 19 API calls 64853->64852 64854 4c31b9 64854->64852 64854->64853 64856 414513 64855->64856 64857 414673 std::_Throw_Cpp_error 64856->64857 64858 41451e 64856->64858 64859 41467a std::_Throw_Cpp_error 64857->64859 64858->64859 64863 41452e 64858->64863 64860 41458f 64861 4d9e00 15 API calls 64860->64861 64867 414599 64861->64867 64862 4145c1 65469 4d9e00 64862->65469 64863->64860 64863->64862 64865 4145c8 65497 4e648e 64865->65497 64867->64809 64869 4732c4 64868->64869 64870 4731a2 64868->64870 65560 402fb0 ___std_exception_copy RaiseException 64869->65560 64872 4732bf 64870->64872 64874 4731f4 64870->64874 64876 47321b 64870->64876 65559 4022f0 ___std_exception_copy RaiseException Concurrency::cancel_current_task 64872->65559 64874->64872 64875 4731ff 64874->64875 64877 4dc8a2 2 API calls 64875->64877 64878 4dc8a2 2 API calls 64876->64878 64882 473210 64876->64882 64879 473205 64877->64879 64878->64882 64880 4de42b Concurrency::cancel_current_task RaiseException 64879->64880 64879->64882 64881 4732f1 64880->64881 64882->64756 64884 46a1b4 64883->64884 64885 46a1d6 64884->64885 64886 46a27a 64884->64886 64888 402d00 4 API calls 64885->64888 64887 4029f0 4 API calls 64886->64887 64889 46a28a 64887->64889 64891 46a209 64888->64891 64890 4de42b Concurrency::cancel_current_task RaiseException 64889->64890 64890->64891 64891->64778 64909 466f29 64908->64909 64910 4671dc 64909->64910 64912 466f4f 64909->64912 65571 402fb0 ___std_exception_copy RaiseException 64910->65571 64920 46c070 2 API calls 64912->64920 64922 467149 64912->64922 64923 462ca0 ___std_exception_copy RaiseException 64912->64923 64914 46715e 65562 46c070 64914->65562 64915 46718b 64917 469130 2 API calls 64915->64917 64921 467174 64917->64921 64920->64912 65567 469130 64921->65567 64922->64914 64922->64915 64922->64921 64923->64912 64924->64809 64927 4a0d7b 64925->64927 64928 4a0de2 64927->64928 65575 49cbe0 11 API calls __fread_nolock 64927->65575 64928->64809 64929->64809 64931 4022f0 _strftime Concurrency::cancel_current_task 64930->64931 64932 4dc8c1 64931->64932 64933 4de42b Concurrency::cancel_current_task RaiseException 64931->64933 64932->64809 64934 40230c ___std_exception_copy 64933->64934 64934->64809 64936 462634 64935->64936 64938 462638 64935->64938 64937 462696 64936->64937 64936->64938 64940 4029f0 4 API calls 64937->64940 64939 46267d 64938->64939 65576 462d20 64938->65576 64939->64809 64943 4626a4 64940->64943 64942 462668 64942->64809 64944 4de42b Concurrency::cancel_current_task RaiseException 64943->64944 64945 4626dc 64944->64945 64949 402a13 64948->64949 64949->64949 64950 402d00 4 API calls 64949->64950 64951 402a25 64950->64951 64951->64760 64953 4de445 64952->64953 64954 4de472 RaiseException 64952->64954 64953->64954 64954->64762 64956 402f62 64955->64956 64957 402f86 64955->64957 64958 402f69 64956->64958 64959 402f9f 64956->64959 64960 402f98 64957->64960 64963 4dc8a2 2 API calls 64957->64963 64962 4dc8a2 2 API calls 64958->64962 64967 4022f0 ___std_exception_copy RaiseException Concurrency::cancel_current_task 64959->64967 64960->64819 64965 402f6f 64962->64965 64964 402f90 64963->64964 64964->64819 64965->64819 64967->64965 64975 4e298e 64968->64975 64970 40b167 64970->64825 64971 4e62d8 64970->64971 64972 4e62eb 64971->64972 64992 4e61b3 64972->64992 64974 4e62f7 64974->64825 64977 4e299a 64975->64977 64976 4e29a1 64988 4ea92f 11 API calls __dosmaperr 64976->64988 64977->64976 64979 4e29c1 64977->64979 64981 4e29c6 64979->64981 64983 4e29d3 64979->64983 64980 4e29a6 64980->64970 64989 4ea92f 11 API calls __dosmaperr 64981->64989 64984 4e29e3 64983->64984 64985 4e29f0 64983->64985 64990 4ea92f 11 API calls __dosmaperr 64984->64990 64991 4e2a2e LeaveCriticalSection 64985->64991 64988->64980 64989->64980 64990->64980 64991->64980 64993 4e61bf 64992->64993 64997 4e61c9 64993->64997 65000 4ea480 EnterCriticalSection 64993->65000 64995 4e620a 65001 4e624a 64995->65001 64997->64974 64998 4e6217 65009 4e6242 LeaveCriticalSection 64998->65009 65000->64995 65002 4e627a 65001->65002 65004 4e6257 65001->65004 65002->65004 65010 4e2cc1 65002->65010 65004->64998 65007 4e629a 65007->65004 65008 4f4253 __freea 11 API calls 65007->65008 65008->65004 65009->64997 65011 4e2d01 65010->65011 65012 4e2cda 65010->65012 65014 4f428d 11 API calls __freea 65011->65014 65012->65011 65015 4f282c 65012->65015 65014->65007 65016 4f2838 65015->65016 65018 4f2840 65016->65018 65019 4f293d 65016->65019 65018->65011 65020 4f2969 65019->65020 65021 4f2965 65019->65021 65020->65018 65021->65020 65022 4f29e2 65021->65022 65044 4eb86d 65021->65044 65047 4f2482 65022->65047 65026 4f29fa 65030 4f2a29 65026->65030 65031 4f2a02 65026->65031 65027 4f2a41 65028 4f2aaa WriteFile 65027->65028 65029 4f2a55 65027->65029 65028->65020 65032 4f2acc GetLastError 65028->65032 65034 4f2a5d 65029->65034 65035 4f2a96 65029->65035 65053 4f2053 6 API calls 2 library calls 65030->65053 65031->65020 65052 4f241a GetLastError 65031->65052 65032->65020 65039 4f2a82 65034->65039 65040 4f2a62 65034->65040 65056 4f24ff IsProcessorFeaturePresent ___raise_securityfailure WriteFile GetLastError _ValidateLocalCookies 65035->65056 65038 4f2a3c 65038->65020 65055 4f26c3 IsProcessorFeaturePresent ___raise_securityfailure WriteFile GetLastError _ValidateLocalCookies 65039->65055 65040->65020 65042 4f2a6b 65040->65042 65054 4f25da IsProcessorFeaturePresent ___raise_securityfailure WriteFile GetLastError _ValidateLocalCookies 65042->65054 65057 4eb74c 65044->65057 65046 4eb886 65046->65022 65048 4fce22 __fread_nolock 11 API calls 65047->65048 65051 4f2494 65048->65051 65049 4f24f8 65049->65026 65049->65027 65050 4f24dc GetConsoleMode 65050->65049 65051->65049 65051->65050 65052->65020 65053->65038 65054->65020 65055->65038 65056->65038 65058 4eb75e 65057->65058 65059 4eb77a SetFilePointerEx 65058->65059 65061 4eb766 65058->65061 65060 4eb792 GetLastError 65059->65060 65059->65061 65060->65061 65061->65046 65063 4e6839 65062->65063 65081 4e657d 65063->65081 65065 4e684e 65065->64831 65067 4e25ee 65066->65067 65098 4e1ef1 65067->65098 65069 4e25fa 65069->64834 65071 4680f1 65070->65071 65075 4680c2 __fread_nolock 65070->65075 65072 4681f6 65071->65072 65073 468100 65071->65073 65130 402400 ___std_exception_copy RaiseException 65072->65130 65076 402f50 3 API calls 65073->65076 65075->64838 65077 468146 __fread_nolock CatchIt 65076->65077 65077->64838 65131 4eb2ec 65078->65131 65080 40ac41 65080->64841 65082 4e6589 65081->65082 65088 4e658f 65082->65088 65089 4ea480 EnterCriticalSection 65082->65089 65084 4e65de 65090 4e6700 65084->65090 65086 4e65f4 65097 4e661d LeaveCriticalSection 65086->65097 65088->65065 65089->65084 65091 4e6713 65090->65091 65092 4e6726 65090->65092 65091->65086 65093 4e67d7 65092->65093 65094 4e2cc1 29 API calls 65092->65094 65093->65086 65095 4e6777 65094->65095 65096 4eb86d 2 API calls 65095->65096 65096->65093 65097->65088 65099 4e1efd 65098->65099 65103 4e1f04 65099->65103 65104 4ea480 EnterCriticalSection 65099->65104 65101 4e1f30 65105 4e2000 65101->65105 65103->65069 65104->65101 65108 4e2032 65105->65108 65107 4e2012 65107->65103 65109 4e2041 65108->65109 65110 4e2069 65108->65110 65109->65107 65121 4eb80f 65110->65121 65113 4e211c 65124 4e239e 6 API calls _ValidateLocalCookies 65113->65124 65114 4e2133 65114->65109 65116 4e21ae 65114->65116 65117 4e2198 65114->65117 65116->65109 65120 4e21b4 __ehfuncinfo$??2@YAPAXIABUnothrow_t@std@@ 65116->65120 65125 4e21d3 __ehfuncinfo$??2@YAPAXIABUnothrow_t@std@@ __ehfuncinfo$??2@YAPAXIABUnothrow_t@std@@ __ehfuncinfo$??2@YAPAXIABUnothrow_t@std@@ SetFilePointerEx GetLastError 65117->65125 65118 4e212b 65118->65109 65120->65109 65126 4eb627 65121->65126 65123 4e2090 65123->65109 65123->65113 65123->65114 65124->65118 65125->65109 65128 4eb633 65126->65128 65127 4eb63b 65127->65123 65128->65127 65129 4eb74c 2 API calls 65128->65129 65129->65127 65132 4eb2f8 65131->65132 65133 4eb30b __fread_nolock 65132->65133 65134 4eb342 65132->65134 65139 4eb325 65132->65139 65151 4ea92f 11 API calls __dosmaperr 65133->65151 65140 4ea480 EnterCriticalSection 65134->65140 65136 4eb34c 65141 4eb0f6 65136->65141 65139->65080 65140->65136 65144 4eb108 __fread_nolock 65141->65144 65146 4eb11a 65141->65146 65142 4eb115 65152 4ea92f 11 API calls __dosmaperr 65142->65152 65144->65142 65145 4eb166 65144->65145 65144->65146 65145->65146 65147 4eb291 __fread_nolock 65145->65147 65150 4f1ac4 __fread_nolock 17 API calls 65145->65150 65153 4e611b 11 API calls 3 library calls 65145->65153 65146->65139 65154 4ea92f 11 API calls __dosmaperr 65147->65154 65150->65145 65151->65139 65152->65146 65153->65145 65154->65146 65157 470dcb 65155->65157 65196 4ea56b 65157->65196 65158 470ecb 65199 46ede0 65158->65199 65160 46a6dc 65161 46ca20 65160->65161 65162 46cf73 65161->65162 65166 46ca55 65161->65166 65243 474ac0 65162->65243 65164 46cfb5 65165 46ede0 4 API calls 65164->65165 65168 46cfc2 65165->65168 65313 46f190 ___std_exception_copy ___std_exception_copy ___std_exception_copy RaiseException 65166->65313 65190 46d0cb 65168->65190 65317 408130 6 API calls 65168->65317 65170 46d041 65318 46e550 ___std_exception_copy ___std_exception_copy ___std_exception_copy RaiseException CatchIt 65170->65318 65171 466ee0 2 API calls 65192 46cda0 65171->65192 65172 46cb9b 65173 46ede0 4 API calls 65172->65173 65176 46cbeb 65173->65176 65175 46cd48 65183 466ee0 2 API calls 65175->65183 65195 46ccf1 65176->65195 65314 408130 6 API calls 65176->65314 65177 46ceb8 65179 466ee0 2 API calls 65177->65179 65178 46d059 65181 46d078 ___std_exception_destroy ___std_exception_destroy 65178->65181 65179->65192 65181->65190 65182 46cc6a 65315 46e550 ___std_exception_copy ___std_exception_copy ___std_exception_copy RaiseException CatchIt 65182->65315 65186 46cd8e 65183->65186 65184 46ce6a 65184->65177 65187 466ee0 2 API calls 65184->65187 65189 466ee0 2 API calls 65186->65189 65187->65177 65188 46cc7f 65316 474a80 RaiseException Concurrency::cancel_current_task 65188->65316 65189->65192 65190->65171 65190->65192 65192->64847 65193 46cc92 65194 46cc9e ___std_exception_destroy ___std_exception_destroy 65193->65194 65194->65195 65195->65175 65195->65184 65195->65192 65213 4f307b GetLastError 65196->65213 65198 4ea576 65198->65158 65200 46edef 65199->65200 65204 46ee10 65199->65204 65238 470150 ___std_exception_copy ___std_exception_copy ___std_exception_copy RaiseException 65200->65238 65203 46edf4 65203->65204 65239 470150 ___std_exception_copy ___std_exception_copy ___std_exception_copy RaiseException 65203->65239 65207 46ee17 65204->65207 65241 46f1f0 ___std_exception_copy ___std_exception_copy ___std_exception_copy RaiseException 65204->65241 65206 46ee02 65206->65207 65240 470150 ___std_exception_copy ___std_exception_copy ___std_exception_copy RaiseException 65206->65240 65207->65160 65209 46ee57 65210 470150 ___std_exception_copy ___std_exception_copy ___std_exception_copy RaiseException 65209->65210 65211 46eef0 65209->65211 65242 46f1f0 ___std_exception_copy ___std_exception_copy ___std_exception_copy RaiseException 65209->65242 65210->65209 65211->65160 65214 4f3097 65213->65214 65215 4f3091 65213->65215 65218 4f309b SetLastError 65214->65218 65234 4f48d4 6 API calls __InternalCxxFrameHandler 65214->65234 65233 4f4895 6 API calls __InternalCxxFrameHandler 65215->65233 65223 4f312b 65218->65223 65220 4f30b3 65220->65218 65221 4f30e1 65220->65221 65222 4f30d0 65220->65222 65236 4f48d4 6 API calls __InternalCxxFrameHandler 65221->65236 65235 4f48d4 6 API calls __InternalCxxFrameHandler 65222->65235 65223->65198 65226 4f30de 65230 4f4253 __freea 11 API calls 65226->65230 65227 4f30ed 65228 4f3108 __dosmaperr 65227->65228 65229 4f30f1 65227->65229 65232 4f4253 __freea 11 API calls 65228->65232 65237 4f48d4 6 API calls __InternalCxxFrameHandler 65229->65237 65230->65218 65232->65218 65233->65214 65234->65220 65235->65226 65236->65227 65237->65226 65238->65203 65239->65206 65240->65204 65241->65209 65242->65209 65265 474b27 65243->65265 65244 475752 65338 408130 6 API calls 65244->65338 65245 478a70 ___std_exception_copy ___std_exception_copy ___std_exception_copy RaiseException 65245->65265 65250 475137 65328 46e550 ___std_exception_copy ___std_exception_copy ___std_exception_copy RaiseException CatchIt 65250->65328 65251 4757bf 65339 46e550 ___std_exception_copy ___std_exception_copy ___std_exception_copy RaiseException CatchIt 65251->65339 65256 472c00 ___std_exception_copy ___std_exception_copy ___std_exception_copy RaiseException 65256->65265 65257 466ee0 ___std_exception_copy RaiseException 65257->65265 65258 475049 65326 408130 6 API calls 65258->65326 65259 475146 65329 46e550 ___std_exception_copy ___std_exception_copy ___std_exception_copy RaiseException CatchIt 65259->65329 65260 4757d7 65262 4757f8 ___std_exception_destroy ___std_exception_destroy 65260->65262 65261 46f190 ___std_exception_copy ___std_exception_copy ___std_exception_copy RaiseException 65261->65265 65291 475044 65262->65291 65263 46ede0 ___std_exception_copy ___std_exception_copy ___std_exception_copy RaiseException 65263->65265 65265->65244 65265->65245 65265->65250 65265->65256 65265->65257 65265->65258 65265->65261 65265->65263 65268 475391 65265->65268 65270 474f14 65265->65270 65272 4752aa 65265->65272 65273 4764b0 ___std_exception_copy RaiseException 65265->65273 65275 475574 65265->65275 65277 4673c0 ___std_exception_copy ___std_exception_copy ___std_exception_copy RaiseException 65265->65277 65265->65291 65296 47547a 65265->65296 65319 478e20 ___std_exception_copy ___std_exception_copy ___std_exception_copy RaiseException 65265->65319 65320 47f0a0 ___std_exception_copy ___std_exception_copy ___std_exception_copy RaiseException Concurrency::cancel_current_task 65265->65320 65321 479180 ___std_exception_copy ___std_exception_copy ___std_exception_copy RaiseException 65265->65321 65322 478c10 ___std_exception_copy ___std_exception_copy ___std_exception_copy RaiseException 65265->65322 65323 478fe0 ___std_exception_copy ___std_exception_copy ___std_exception_copy RaiseException 65265->65323 65266 4750bd 65327 46e550 ___std_exception_copy ___std_exception_copy ___std_exception_copy RaiseException CatchIt 65266->65327 65332 408130 6 API calls 65268->65332 65274 402f50 3 API calls 65270->65274 65271 475199 65279 4751be ___std_exception_destroy ___std_exception_destroy 65271->65279 65310 475009 65271->65310 65330 408130 6 API calls 65272->65330 65273->65265 65276 474f3d 65274->65276 65336 408130 6 API calls 65275->65336 65324 408130 6 API calls 65276->65324 65277->65265 65279->65310 65281 4750d5 65289 4750f6 ___std_exception_destroy ___std_exception_destroy 65281->65289 65282 475317 65331 46e550 ___std_exception_copy ___std_exception_copy ___std_exception_copy RaiseException CatchIt 65282->65331 65283 4de42b Concurrency::cancel_current_task RaiseException 65287 47589a 65283->65287 65284 475400 65333 46e550 ___std_exception_copy ___std_exception_copy ___std_exception_copy RaiseException CatchIt 65284->65333 65289->65250 65291->65164 65292 4755e8 65337 46e550 ___std_exception_copy ___std_exception_copy ___std_exception_copy RaiseException CatchIt 65292->65337 65293 474f97 65325 46e550 ___std_exception_copy ___std_exception_copy ___std_exception_copy RaiseException CatchIt 65293->65325 65297 402f50 3 API calls 65296->65297 65298 4754a3 65297->65298 65334 408130 6 API calls 65298->65334 65299 47532f 65301 475350 ___std_exception_destroy ___std_exception_destroy 65299->65301 65300 475418 65302 475439 ___std_exception_destroy ___std_exception_destroy 65300->65302 65301->65268 65302->65310 65303 475600 65306 475621 ___std_exception_destroy ___std_exception_destroy 65303->65306 65304 474fac 65307 474fca ___std_exception_destroy ___std_exception_destroy 65304->65307 65306->65291 65307->65310 65308 4754fa 65335 46e550 ___std_exception_copy ___std_exception_copy ___std_exception_copy RaiseException CatchIt 65308->65335 65310->65283 65310->65291 65311 475512 65312 475533 ___std_exception_destroy ___std_exception_destroy 65311->65312 65312->65275 65313->65172 65314->65182 65315->65188 65316->65193 65317->65170 65318->65178 65319->65265 65320->65265 65321->65265 65322->65265 65323->65265 65324->65293 65325->65304 65326->65266 65327->65281 65328->65259 65329->65271 65330->65282 65331->65299 65332->65284 65333->65300 65334->65308 65335->65311 65336->65292 65337->65303 65338->65251 65339->65260 65342 4c2bbd __fread_nolock 65340->65342 65341 48db50 11 API calls 65346 4c30f7 65341->65346 65348 4c2bc2 65342->65348 65363 4ce620 65342->65363 65345 4c2dad 65367 4d8fc0 65345->65367 65346->64854 65348->65341 65348->65346 65349 4c2ed1 65358 4c2ee3 CatchIt 65349->65358 65394 4b2c90 65349->65394 65351 4c2c73 CatchIt 65351->65348 65353 4d8fc0 11 API calls 65351->65353 65355 4c2cb5 65351->65355 65354 4c2d3b 65353->65354 65354->65355 65357 48db50 11 API calls 65354->65357 65355->65349 65386 498900 65355->65386 65393 498a50 11 API calls 65355->65393 65357->65355 65359 48db50 11 API calls 65358->65359 65362 4c3050 65358->65362 65359->65362 65361 48db50 11 API calls 65361->65362 65362->65348 65362->65361 65404 49e5e0 15 API calls 65362->65404 65364 4c2c52 65363->65364 65365 4ce635 65363->65365 65364->65345 65364->65351 65365->65364 65366 48db50 11 API calls 65365->65366 65366->65365 65368 4d8ff6 65367->65368 65369 4d93e2 65368->65369 65371 48db50 11 API calls 65368->65371 65372 4d90ae 65368->65372 65369->65355 65370 48db50 11 API calls 65373 4d9204 65370->65373 65371->65372 65372->65370 65374 48db50 11 API calls 65373->65374 65375 4d92ac 65373->65375 65374->65375 65376 4d92df 65375->65376 65405 4b3010 11 API calls 65375->65405 65378 48db50 11 API calls 65376->65378 65379 4d92f9 65376->65379 65378->65379 65380 48db50 11 API calls 65379->65380 65383 4d9332 65379->65383 65380->65383 65381 4d93a1 65382 4d93c8 65381->65382 65406 4b3010 11 API calls 65381->65406 65382->65355 65383->65381 65385 48db50 11 API calls 65383->65385 65385->65383 65387 498937 65386->65387 65391 498921 65386->65391 65387->65355 65391->65387 65407 498660 65391->65407 65420 496e20 11 API calls 65391->65420 65421 498870 15 API calls __fread_nolock 65391->65421 65422 498340 11 API calls 65391->65422 65393->65355 65395 4b2cdf 65394->65395 65398 4b2caf 65394->65398 65396 4ce620 11 API calls 65395->65396 65399 4b2cf8 65396->65399 65398->65395 65403 4b2e06 65398->65403 65468 4b8140 11 API calls 65398->65468 65400 48db50 11 API calls 65399->65400 65401 4b2da8 __fread_nolock 65399->65401 65400->65399 65402 48db50 11 API calls 65401->65402 65401->65403 65402->65403 65403->65358 65404->65362 65405->65376 65406->65381 65423 496450 65407->65423 65410 496a70 15 API calls 65413 49868f 65410->65413 65411 4987c7 65415 4987cf 65411->65415 65444 496a10 11 API calls 65411->65444 65413->65411 65414 498777 65413->65414 65413->65415 65419 498793 65414->65419 65443 496a10 11 API calls 65414->65443 65415->65391 65417 4987a9 65417->65391 65439 492c30 65419->65439 65420->65391 65421->65391 65422->65391 65424 4964ab 65423->65424 65425 49646a 65423->65425 65427 4964e7 65424->65427 65436 496529 65424->65436 65445 491fc0 65424->65445 65455 492990 65425->65455 65427->65410 65427->65415 65429 4968c7 __ehfuncinfo$??2@YAPAXIABUnothrow_t@std@@ 65433 49685d 65429->65433 65430 49691f 65432 492990 11 API calls 65430->65432 65434 4966b5 65430->65434 65431 496584 65431->65429 65431->65433 65431->65434 65432->65434 65433->65430 65433->65434 65438 491300 4 API calls 65433->65438 65434->65427 65435 492990 11 API calls 65434->65435 65435->65427 65436->65431 65436->65434 65459 494960 11 API calls 65436->65459 65438->65430 65440 492c3c 65439->65440 65441 48db50 11 API calls 65440->65441 65442 492c5f 65440->65442 65441->65442 65442->65417 65443->65419 65444->65415 65446 491fd5 65445->65446 65447 491fdb 65446->65447 65448 491fed GetVersionExA 65446->65448 65449 492016 65446->65449 65447->65436 65448->65449 65450 49201d GetFileAttributesW 65449->65450 65451 492025 GetFileAttributesA 65449->65451 65452 49202b 65450->65452 65451->65452 65453 4eaec6 __freea 11 API calls 65452->65453 65454 492033 65453->65454 65454->65436 65456 492a2a 65455->65456 65457 4929a0 __fread_nolock 65455->65457 65456->65424 65460 493810 65457->65460 65459->65431 65461 49381c 65460->65461 65462 493841 65461->65462 65464 492fe0 65461->65464 65462->65456 65465 4930e5 65464->65465 65466 492ffa 65464->65466 65465->65462 65466->65465 65467 48db50 11 API calls 65466->65467 65467->65466 65468->65398 65472 4d9e13 65469->65472 65494 4da18d 65469->65494 65470 4b2c90 11 API calls 65476 4d9e51 65470->65476 65471 4d9e2b 65471->64865 65472->65470 65472->65471 65473 4d9e66 65473->64865 65474 4d9f15 65475 4b2c90 11 API calls 65474->65475 65480 4d9f1e 65475->65480 65476->65473 65476->65474 65513 498570 15 API calls 65476->65513 65478 4da008 65510 490c60 65478->65510 65481 48db50 11 API calls 65480->65481 65484 4d9f95 65480->65484 65481->65480 65482 4da067 65483 490c60 11 API calls 65482->65483 65488 4da072 65483->65488 65484->65478 65485 48db50 11 API calls 65484->65485 65485->65484 65486 4da013 65486->65482 65487 48db50 11 API calls 65486->65487 65487->65486 65489 4da0a7 65488->65489 65514 49ce20 15 API calls 65488->65514 65491 48db50 11 API calls 65489->65491 65495 4da0e7 65489->65495 65491->65495 65492 4da090 65492->65489 65493 48db50 11 API calls 65492->65493 65493->65489 65494->64865 65495->65494 65496 4eaec6 11 API calls 65495->65496 65496->65494 65498 4e649c 65497->65498 65499 4e64a6 65497->65499 65500 4f4c09 13 API calls 65498->65500 65515 4e63d7 65499->65515 65502 4e64a3 65500->65502 65502->64867 65507 4e64d4 65508 4e64f2 65507->65508 65509 4f4253 __freea 11 API calls 65507->65509 65508->64867 65509->65508 65511 48db50 11 API calls 65510->65511 65512 490c76 65511->65512 65512->65486 65513->65476 65514->65492 65528 4e27de 65515->65528 65517 4e63e9 65518 4e63fb 65517->65518 65532 4f4747 5 API calls __wsopen_s 65517->65532 65520 4e63ba 65518->65520 65533 4e6308 65520->65533 65523 4f4c09 DeleteFileW 65524 4f4c2d 65523->65524 65525 4f4c1b GetLastError 65523->65525 65524->65507 65558 4ea8d5 11 API calls __dosmaperr 65525->65558 65527 4f4c27 65527->65507 65529 4e27fc 65528->65529 65531 4e27f5 65528->65531 65530 4f307b __Getcoll 13 API calls 65529->65530 65529->65531 65530->65531 65531->65517 65532->65518 65534 4e6316 65533->65534 65535 4e6330 65533->65535 65551 4e6416 11 API calls __freea 65534->65551 65537 4e6356 65535->65537 65538 4e6337 65535->65538 65553 4f43b3 MultiByteToWideChar _strftime 65537->65553 65550 4e6320 65538->65550 65552 4e6430 12 API calls _strftime 65538->65552 65541 4e636c GetLastError 65554 4ea8d5 11 API calls __dosmaperr 65541->65554 65542 4e6365 65542->65541 65544 4e6392 65542->65544 65556 4e6430 12 API calls _strftime 65542->65556 65544->65550 65557 4f43b3 MultiByteToWideChar _strftime 65544->65557 65546 4e6378 65555 4ea92f 11 API calls __dosmaperr 65546->65555 65548 4e63a9 65548->65541 65548->65550 65550->65507 65550->65523 65551->65550 65552->65550 65553->65542 65554->65546 65555->65550 65556->65544 65557->65548 65558->65527 65559->64869 65575->64928 65577 462d5f 65576->65577 65605 462dc7 CatchIt 65576->65605 65578 462d66 65577->65578 65579 462eee 65577->65579 65580 462f6e 65577->65580 65581 462e39 65577->65581 65577->65605 65584 4dc8a2 2 API calls 65578->65584 65582 4dc8a2 2 API calls 65579->65582 65585 4dc8a2 2 API calls 65580->65585 65583 4dc8a2 2 API calls 65581->65583 65586 462ef8 65582->65586 65602 462e43 65583->65602 65587 462d70 65584->65587 65590 462f7b 65585->65590 65588 4655d0 4 API calls 65586->65588 65589 4dc8a2 2 API calls 65587->65589 65588->65605 65591 462da2 65589->65591 65592 462fc4 65590->65592 65593 46307f 65590->65593 65590->65605 65606 47f240 65591->65606 65596 462ff5 65592->65596 65597 462fcc 65592->65597 65618 402fb0 ___std_exception_copy RaiseException 65593->65618 65598 4dc8a2 2 API calls 65596->65598 65599 463084 65597->65599 65600 462fd7 65597->65600 65598->65605 65619 4022f0 ___std_exception_copy RaiseException Concurrency::cancel_current_task 65599->65619 65601 4dc8a2 2 API calls 65600->65601 65601->65605 65604 462d20 4 API calls 65602->65604 65602->65605 65604->65602 65605->64942 65605->65605 65607 47f278 65606->65607 65617 47f31f 65606->65617 65608 4dc8a2 2 API calls 65607->65608 65609 47f29a 65608->65609 65610 4655d0 4 API calls 65609->65610 65611 47f2b0 65610->65611 65612 462d20 4 API calls 65611->65612 65613 47f2c0 65612->65613 65614 47f240 4 API calls 65613->65614 65615 47f311 65614->65615 65616 47f240 4 API calls 65615->65616 65616->65617 65617->65605 65619->65605 65620 45e5d4 65621 45e5ee 65620->65621 65622 4029f0 4 API calls 65621->65622 65623 45e5f6 65622->65623 65624 4655d0 4 API calls 65623->65624 65627 45e60c 65624->65627 65625 45e675 CreateThread CloseHandle 65626 45e747 65625->65626 65631 45e69e 65625->65631 65937 41e220 65625->65937 65629 4029f0 4 API calls 65626->65629 65627->65625 65628 45e6a0 GetPEB 65628->65631 65630 45e768 GetTempPathA 65629->65630 65634 45e7a4 65630->65634 65631->65628 65631->65631 65633 45e71d Sleep 65631->65633 65633->65626 65633->65628 65635 4029f0 4 API calls 65634->65635 65636 45e7d9 65635->65636 65637 4029f0 4 API calls 65636->65637 65638 45e877 65637->65638 65692 40b1a0 65638->65692 65640 45e8d7 65641 45e8e9 65640->65641 65765 40b300 65640->65765 65643 40b1a0 4 API calls 65641->65643 65644 45e8fe 65643->65644 65645 45e911 65644->65645 65646 40b300 15 API calls 65644->65646 65647 45e920 CreateDirectoryA 65645->65647 65646->65645 65648 45e945 65647->65648 65649 45e933 65647->65649 65652 45e952 CreateDirectoryA 65648->65652 65701 415e30 65649->65701 65651 45e93d 65651->65648 65653 460fa5 OutputDebugStringA 65651->65653 65654 45e9d3 65652->65654 65655 45e959 __ehfuncinfo$??2@YAPAXIABUnothrow_t@std@@ 65652->65655 65656 460fbc 65653->65656 65657 45e9de GetPEB 65654->65657 65659 45e995 65655->65659 65658 462d20 4 API calls 65656->65658 65664 45e9f0 65657->65664 65661 460fd6 65658->65661 65660 415e30 12 API calls 65659->65660 65660->65654 65662 462d20 4 API calls 65661->65662 65663 460fec 65662->65663 65665 462d20 4 API calls 65663->65665 65666 461002 65665->65666 65667 462d20 4 API calls 65666->65667 65668 461018 65667->65668 65669 462d20 4 API calls 65668->65669 65670 46102e 65669->65670 65671 462d20 4 API calls 65670->65671 65672 461047 65671->65672 65673 4655d0 4 API calls 65672->65673 65674 461062 65673->65674 65715 418ee0 65674->65715 65676 46106f 65677 4610d3 CreateMutexA 65676->65677 65678 402990 65677->65678 65693 40b1d0 65692->65693 65694 40b1d7 65693->65694 65695 40b24d std::_Throw_Cpp_error 65693->65695 65696 40b254 std::_Throw_Cpp_error 65694->65696 65697 40b1e3 65694->65697 65695->65696 65697->65697 65698 40b1fb GetFileAttributesA 65697->65698 65700 40b212 65697->65700 65699 40b207 GetLastError 65698->65699 65698->65700 65699->65700 65700->65640 65702 415ece GetFileAttributesA 65701->65702 65703 415e66 65701->65703 65706 415fe1 65702->65706 65714 415eeb __fread_nolock 65702->65714 65794 4dcbe3 AcquireSRWLockExclusive ReleaseSRWLockExclusive SleepConditionVariableSRW 65703->65794 65706->65651 65707 415e70 65707->65702 65795 4dcb92 AcquireSRWLockExclusive ReleaseSRWLockExclusive WakeAllConditionVariable 65707->65795 65708 415fad 65711 415fc4 CreateDirectoryA 65708->65711 65711->65651 65713 415e30 10 API calls 65713->65708 65714->65708 65714->65714 65787 465030 65714->65787 65724 418f15 65715->65724 65732 41a9ef 65715->65732 65716 466ee0 2 API calls 65717 41aa81 65716->65717 65718 466ee0 2 API calls 65717->65718 65719 41aa90 65718->65719 65720 466ee0 2 API calls 65719->65720 65721 41aa9f 65720->65721 65722 466ee0 2 API calls 65721->65722 65723 41aaae 65722->65723 65725 466ee0 2 API calls 65723->65725 65726 402d00 4 API calls 65724->65726 65724->65732 65727 41aabd 65725->65727 65728 418fd7 65726->65728 65729 466ee0 2 API calls 65727->65729 65730 4655d0 4 API calls 65728->65730 65731 41aacf 65729->65731 65752 418fed 65730->65752 65731->65676 65732->65716 65733 462d20 4 API calls 65733->65752 65734 466ee0 ___std_exception_copy RaiseException 65734->65752 65735 41aa31 65736 4029f0 4 API calls 65735->65736 65739 41aa13 65736->65739 65737 41aa00 65738 4029f0 4 API calls 65737->65738 65738->65739 65740 4de42b Concurrency::cancel_current_task RaiseException 65739->65740 65741 41ab38 65740->65741 65742 41aae2 65743 4029f0 4 API calls 65742->65743 65743->65739 65744 402d00 ___std_exception_copy ___std_exception_copy ___std_exception_copy RaiseException 65744->65752 65745 46a2d0 ___std_exception_copy ___std_exception_copy ___std_exception_copy RaiseException 65745->65752 65746 46a4a0 ___std_exception_copy ___std_exception_copy ___std_exception_copy RaiseException 65746->65752 65747 46c070 ___std_exception_copy RaiseException 65747->65752 65748 4655d0 ___std_exception_copy ___std_exception_copy ___std_exception_copy RaiseException 65748->65752 65749 46a190 ___std_exception_copy ___std_exception_copy ___std_exception_copy RaiseException 65749->65752 65750 470d50 ___std_exception_copy ___std_exception_copy ___std_exception_copy RaiseException 65750->65752 65751 464340 ___std_exception_copy ___std_exception_copy ___std_exception_copy RaiseException 65751->65752 65752->65732 65752->65733 65752->65734 65752->65735 65752->65737 65752->65742 65752->65744 65752->65745 65752->65746 65752->65747 65752->65748 65752->65749 65752->65750 65752->65751 65766 40b33a 65765->65766 65767 40b712 std::_Throw_Cpp_error 65766->65767 65768 40b345 65766->65768 65769 40b719 std::_Throw_Cpp_error 65767->65769 65768->65769 65772 40b355 65768->65772 65770 40b72a 65769->65770 65935 402400 ___std_exception_copy RaiseException 65770->65935 65772->65770 65773 40b410 FindFirstFileA 65772->65773 65774 40b627 65773->65774 65776 40b435 65773->65776 65774->65641 65776->65770 65777 40b5a9 SetFileAttributesA 65776->65777 65778 40b300 4 API calls 65776->65778 65927 468210 65776->65927 65779 40b650 GetLastError 65777->65779 65780 40b5c8 DeleteFileA 65777->65780 65778->65777 65779->65774 65780->65779 65781 40b5de FindNextFileA 65780->65781 65781->65776 65782 40b5f7 FindClose GetLastError 65781->65782 65782->65774 65783 40b60d SetFileAttributesA 65782->65783 65783->65774 65785 40b632 RemoveDirectoryA 65783->65785 65785->65774 65788 465076 65787->65788 65789 4650b2 65787->65789 65791 402d00 4 API calls 65788->65791 65796 469120 65789->65796 65793 415f9f 65791->65793 65793->65713 65794->65707 65795->65702 65799 4daf38 65796->65799 65804 4dad22 ___std_exception_copy std::invalid_argument::invalid_argument 65799->65804 65801 4daf49 65802 4de42b Concurrency::cancel_current_task RaiseException 65801->65802 65803 4daf57 65802->65803 65804->65801 65928 46825f 65927->65928 65931 468232 CatchIt 65927->65931 65929 46835d 65928->65929 65932 46826e 65928->65932 65936 402400 ___std_exception_copy RaiseException 65929->65936 65931->65776 65933 402f50 3 API calls 65932->65933 65934 4682b4 CatchIt 65933->65934 65934->65776 65938 41e5d8 65937->65938 65941 41e24a 65937->65941 65939 41e293 setsockopt recv WSAGetLastError 65939->65938 65939->65941 65941->65939 65942 41e5c3 Sleep 65941->65942 65944 41e521 recv 65941->65944 65947 4680a0 4 API calls 65941->65947 65956 41d430 WSAStartup 65941->65956 65969 4dc299 65941->65969 65942->65938 65942->65941 65945 41e5bb Sleep 65944->65945 65945->65942 65948 41e339 recv 65947->65948 65949 41e35a recv 65948->65949 65952 41e37b 65948->65952 65949->65952 65950 41d840 76 API calls 65950->65952 65951 4655d0 4 API calls 65951->65952 65952->65945 65952->65950 65952->65951 65953 41e5ea 65952->65953 65954 41e3e2 setsockopt recv 65952->65954 65955 4680a0 4 API calls 65952->65955 65954->65952 65955->65954 65957 41d536 65956->65957 65958 41d468 65956->65958 65957->65941 65958->65957 65959 41d49e getaddrinfo 65958->65959 65960 41d530 WSACleanup 65959->65960 65961 41d4e6 65959->65961 65960->65957 65962 41d544 freeaddrinfo 65961->65962 65964 41d4f4 socket 65961->65964 65962->65960 65963 41d550 65962->65963 65963->65941 65964->65960 65965 41d50a connect 65964->65965 65966 41d540 65965->65966 65967 41d51c closesocket 65965->65967 65966->65962 65967->65964 65968 41d526 freeaddrinfo 65967->65968 65968->65960 65972 4dc84d 65969->65972 65973 4dc87d GetSystemTimePreciseAsFileTime 65972->65973 65974 4dc889 GetSystemTimeAsFileTime 65972->65974 65975 41e53b __ehfuncinfo$??2@YAPAXIABUnothrow_t@std@@ 65973->65975 65974->65975 65975->65945 65975->65952 65977 41fa10 65980 41fa17 65977->65980 65978 41fd77 65992 402400 ___std_exception_copy RaiseException 65978->65992 65980->65977 65980->65978 65982 41fa8b FindFirstFileA 65980->65982 65981 41fd4f 65990 41fac8 65982->65990 65983 41fd1a FindNextFileA 65984 41fd33 GetLastError 65983->65984 65983->65990 65985 41fd46 FindClose 65984->65985 65984->65990 65985->65981 65986 402d00 4 API calls 65986->65990 65987 473140 4 API calls 65987->65990 65988 468210 4 API calls 65988->65990 65990->65978 65990->65981 65990->65983 65990->65986 65990->65987 65990->65988 65991 4642a0 ___std_exception_copy ___std_exception_copy ___std_exception_copy RaiseException 65990->65991 65991->65990 65993 45ea9c 65994 45ec8f __ehfuncinfo$??2@YAPAXIABUnothrow_t@std@@ 65993->65994 65995 45eaa6 65993->65995 65996 45eccc 65994->65996 65998 45eaff CreateMutexA 65995->65998 66280 40c490 65996->66280 65999 402990 65998->65999 66000 45eb19 GetLastError 65999->66000 66001 45eb2a 66000->66001 66012 4611db 66000->66012 66002 45eb35 Sleep 66001->66002 66002->66002 66003 45eb41 66002->66003 66005 4029f0 4 API calls 66003->66005 66004 45ed25 66006 41d840 76 API calls 66004->66006 66007 45eb79 66005->66007 66019 45ed7c 66006->66019 66008 41e5f0 78 API calls 66007->66008 66009 45eb86 66008->66009 66010 45eba8 Sleep 66009->66010 66011 45ebcb shutdown closesocket WSACleanup 66009->66011 66010->66010 66010->66011 66013 45ebf2 GetPEB 66011->66013 66017 45ec00 66013->66017 66014 45ee57 66306 41ab90 66014->66306 66015 45edb4 GetPEB 66015->66019 66017->66013 66018 45ee67 66025 45ee9d 66018->66025 66033 45ef0a 66018->66033 66019->66014 66019->66015 66021 45ee2d Sleep 66019->66021 66020 41ab90 78 API calls 66020->66025 66021->66014 66021->66015 66022 45f016 66023 4029f0 4 API calls 66022->66023 66024 45f037 66023->66024 66026 4029f0 4 API calls 66024->66026 66025->66020 66029 45eefb Sleep 66025->66029 66027 45f05c 66026->66027 66030 4029f0 4 API calls 66027->66030 66028 402d00 ___std_exception_copy ___std_exception_copy ___std_exception_copy RaiseException 66028->66033 66029->66018 66029->66033 66031 45f081 66030->66031 66032 4029f0 4 API calls 66031->66032 66034 45f0a6 66032->66034 66033->66022 66033->66028 66035 4029f0 4 API calls 66034->66035 66036 45f0cb 66035->66036 66037 4029f0 4 API calls 66036->66037 66038 45f0f0 66037->66038 66039 4029f0 4 API calls 66038->66039 66040 45f115 66039->66040 66041 4029f0 4 API calls 66040->66041 66042 45f13a 66041->66042 66043 4029f0 4 API calls 66042->66043 67165 40af30 GetCurrentProcess IsWow64Process 66280->67165 66283 402d00 4 API calls 66284 40c526 RegOpenKeyExA 66283->66284 66286 40c57f RegQueryValueExA 66284->66286 66289 40c606 66284->66289 66288 40c5fd RegCloseKey 66286->66288 66292 40c5db 66286->66292 66288->66289 66289->66289 66290 402d00 4 API calls 66289->66290 66291 40c669 __fread_nolock 66290->66291 66293 40c67d GetCurrentHwProfileA 66291->66293 66292->66288 66296 40c691 66293->66296 66295 40c6c5 67182 40bf20 SetupDiGetClassDevsA 66295->67182 67167 40bfc0 66296->67167 66298 40c6e0 66299 40ca7e 66298->66299 66300 40c71f 66298->66300 67184 402400 ___std_exception_copy RaiseException 66299->67184 66302 468210 4 API calls 66300->66302 66303 40c76b CatchIt 66302->66303 66304 402d00 4 API calls 66303->66304 66305 40ca05 66303->66305 66304->66305 66305->66004 66307 41abd1 66306->66307 66308 402d00 4 API calls 66307->66308 66309 41abea 66308->66309 66310 402d00 4 API calls 66309->66310 66311 41ac17 66310->66311 66312 402d00 4 API calls 66311->66312 66313 41ac41 66312->66313 66314 41b24b 66313->66314 66315 402d00 4 API calls 66313->66315 66319 402d00 4 API calls 66314->66319 66320 41c7aa 66314->66320 66316 41ac80 66315->66316 66317 4dc8a2 2 API calls 66316->66317 66326 41ac8e 66317->66326 66318 4655d0 4 API calls 66323 41c81c 66318->66323 66321 41b4dd 66319->66321 66320->66318 66335 41cddd 66320->66335 66322 4dc8a2 2 API calls 66321->66322 66328 41b4eb 66322->66328 66324 4655d0 4 API calls 66323->66324 66325 41c85b 66324->66325 66327 41d840 76 API calls 66325->66327 66330 402d00 4 API calls 66326->66330 66339 41c86c 66327->66339 66336 402d00 4 API calls 66328->66336 66329 41cc43 66331 4655d0 4 API calls 66329->66331 66341 41ad01 66330->66341 66338 41cc53 66331->66338 66332 4655d0 4 API calls 66334 41ceef 66332->66334 66333 41c884 GetPEB 66333->66339 66337 4655d0 4 API calls 66334->66337 66335->66332 66335->66335 66342 41b561 66336->66342 66350 41cf02 66337->66350 66338->66335 66340 46a630 39 API calls 66338->66340 66339->66329 66339->66333 66349 41ccb6 66340->66349 66343 402d00 4 API calls 66341->66343 67188 482190 66342->67188 66344 41ad88 66343->66344 66347 482190 5 API calls 66344->66347 66346 466ee0 2 API calls 66346->66335 66352 41ad9b 66347->66352 66348 41b64a 66354 46a630 39 API calls 66348->66354 66359 41b98a 66348->66359 66351 46a190 4 API calls 66349->66351 66386 41cd85 66349->66386 66350->66018 66353 41cd02 66351->66353 66356 46a630 39 API calls 66352->66356 66358 41af30 66352->66358 66355 46a2d0 4 API calls 66353->66355 66360 41b688 66354->66360 66367 41cd10 66355->66367 66364 41add9 66356->66364 66357 466ee0 2 API calls 66357->66359 66358->66314 66365 402d00 4 API calls 66358->66365 66362 402d00 4 API calls 66359->66362 66381 41bff1 66359->66381 66363 46a190 4 API calls 66360->66363 66444 41b93d 66360->66444 66361 466ee0 2 API calls 66361->66358 66366 41ba25 66362->66366 66375 41b6c9 66363->66375 66368 46a190 4 API calls 66364->66368 66429 41aee3 66364->66429 66369 41af9a 66365->66369 66370 4dc8a2 2 API calls 66366->66370 66373 46a190 4 API calls 66367->66373 66377 41ae12 66368->66377 66371 4dc8a2 2 API calls 66369->66371 66372 41ba33 66370->66372 66374 41afa8 66371->66374 66391 402d00 4 API calls 66372->66391 66376 41cd77 66373->66376 66392 402d00 4 API calls 66374->66392 66378 46a190 4 API calls 66375->66378 66375->66444 66379 46a2d0 4 API calls 66376->66379 66380 46a190 4 API calls 66377->66380 66377->66429 66383 41b6ff 66378->66383 66379->66386 66382 41ae40 66380->66382 66381->66320 66384 402d00 4 API calls 66381->66384 66385 46a2d0 4 API calls 66382->66385 66388 46a190 4 API calls 66383->66388 66387 41c088 66384->66387 66397 41ae4e 66385->66397 66386->66346 66389 4dc8a2 2 API calls 66387->66389 66393 41b754 66388->66393 66400 41c096 66389->66400 66390 41b7ed 66394 46a190 4 API calls 66390->66394 66399 41baa6 66391->66399 66409 41b01b 66392->66409 66393->66390 66395 46a190 4 API calls 66393->66395 66398 41b864 66394->66398 66396 41b78a 66395->66396 66404 46a190 4 API calls 66396->66404 66401 46a190 4 API calls 66397->66401 66402 46a190 4 API calls 66398->66402 66403 482190 5 API calls 66399->66403 66407 402d00 4 API calls 66400->66407 66408 41aeab 66401->66408 66416 41b8a4 66402->66416 66405 41bbab 66403->66405 66406 41b7df 66404->66406 66405->66381 66413 46a630 39 API calls 66405->66413 66410 46a2d0 4 API calls 66406->66410 66427 41c10c 66407->66427 66411 46a190 4 API calls 66408->66411 66408->66429 66412 402d00 4 API calls 66409->66412 66410->66390 66414 41aed5 66411->66414 66415 41b13c 66412->66415 66424 41bbe9 66413->66424 66417 46a2d0 4 API calls 66414->66417 66418 482190 5 API calls 66415->66418 66419 46a190 4 API calls 66416->66419 66416->66444 66417->66429 66421 41b14f 66418->66421 66422 41b8ef 66419->66422 66420 41bfa4 66423 466ee0 2 API calls 66420->66423 66421->66314 66425 46a630 39 API calls 66421->66425 66430 46a190 4 API calls 66422->66430 66423->66381 66424->66420 66426 46a190 4 API calls 66424->66426 66438 41b18d 66425->66438 66439 41bc5b 66426->66439 66428 402d00 4 API calls 66427->66428 66431 41c258 66428->66431 66429->66361 66434 482190 5 API calls 66431->66434 66432 41b1fe 66435 466ee0 2 API calls 66432->66435 66437 41c26b 66434->66437 66435->66314 66437->66320 66443 46a630 39 API calls 66437->66443 66438->66432 66441 46a190 4 API calls 66438->66441 66439->66420 66440 46a190 4 API calls 66439->66440 66442 41bcc2 66440->66442 66446 41b1c6 66441->66446 66447 46a190 4 API calls 66442->66447 66449 41c2a9 66443->66449 66444->66357 66445 466ee0 2 API calls 66445->66320 66446->66432 66448 46a190 4 API calls 66446->66448 66450 41b1f0 66448->66450 66452 46a190 4 API calls 66449->66452 66499 41c75d 66449->66499 66459 41c314 66452->66459 66459->66499 66499->66445 67166 40af50 67165->67166 67166->66283 67185 4debe0 67167->67185 67170 40c056 67170->67170 67171 402d00 4 API calls 67170->67171 67172 40c0a6 67171->67172 67173 402d00 4 API calls 67172->67173 67174 40c0f5 67173->67174 67175 402d00 4 API calls 67174->67175 67178 40c138 67175->67178 67176 40c219 GetVolumeInformationA 67177 40c246 __fread_nolock 67176->67177 67177->66295 67178->67176 67178->67178 67179 40c311 67178->67179 67181 40c1b1 67178->67181 67187 402400 ___std_exception_copy RaiseException 67179->67187 67181->67176 67183 40bf5e 67182->67183 67183->66298 67186 40c039 GetWindowsDirectoryA 67185->67186 67186->67170 67186->67177 67189 4821fd 67188->67189 67190 4655d0 4 API calls 67189->67190 67195 4822cf 67189->67195 67191 48224e 67190->67191 67192 4655d0 4 API calls 67191->67192 67193 482263 67192->67193 67202 482360 67193->67202 67195->66348 67196 482272 67196->67195 67215 464f80 67196->67215 67198 4822a6 67220 481d90 67198->67220 67200 4822b9 67200->67195 67226 481f00 67200->67226 67203 48238d 67202->67203 67204 482396 CatchIt 67202->67204 67203->67196 67205 482701 67204->67205 67208 482570 67204->67208 67206 469120 2 API calls 67205->67206 67206->67203 67207 4825d4 67248 482a10 ___std_exception_copy RaiseException 67207->67248 67208->67207 67208->67208 67211 468210 4 API calls 67208->67211 67210 482616 67249 482a10 ___std_exception_copy RaiseException 67210->67249 67213 4825bd 67211->67213 67214 468210 4 API calls 67213->67214 67214->67207 67216 464fa8 67215->67216 67219 464fb2 CatchIt 67216->67219 67250 402400 ___std_exception_copy RaiseException 67216->67250 67219->67198 67222 481dc3 67220->67222 67221 481eb9 67221->67200 67222->67221 67223 464f80 2 API calls 67222->67223 67224 481eaa 67223->67224 67251 482710 67224->67251 67227 481f26 67226->67227 67255 482860 67227->67255 67248->67210 67249->67203 67252 482744 67251->67252 67254 48273c 67251->67254 67253 468210 4 API calls 67252->67253 67252->67254 67253->67254 67254->67221 70405 4224d9 70406 4655d0 4 API calls 70405->70406 70420 4224f6 70406->70420 70410 4227fb 70410->70410 70411 402d00 4 API calls 70410->70411 70429 42259f 70410->70429 70413 422a4f 70411->70413 70415 4630b0 4 API calls 70413->70415 70417 422a7a 70415->70417 70418 423585 70417->70418 70419 422aaa 70417->70419 70424 4029f0 4 API calls 70418->70424 70421 4673c0 4 API calls 70419->70421 70420->70410 70422 4655d0 4 API calls 70420->70422 70427 42252f 70420->70427 70423 422ab8 70421->70423 70422->70420 70425 466ee0 2 API calls 70423->70425 70426 42359c 70424->70426 70425->70427 70428 4de42b Concurrency::cancel_current_task RaiseException 70426->70428 70427->70429 70430 402400 ___std_exception_copy RaiseException 70427->70430 70428->70427 70431 43b65d 70434 43b663 70431->70434 70458 439c64 __fread_nolock 70431->70458 70432 4ea1de 13 API calls 70432->70458 70433 43b64a lstrlenA 70433->70431 70435 439cfe GetPrivateProfileStringA 70435->70458 70436 43b6d5 70460 402400 ___std_exception_copy RaiseException 70436->70460 70438 43b6da 70439 4029f0 4 API calls 70438->70439 70449 43b6ba 70439->70449 70440 4de42b Concurrency::cancel_current_task RaiseException 70441 43b734 70440->70441 70442 4e2a50 12 API calls 70442->70458 70443 4655d0 ___std_exception_copy ___std_exception_copy ___std_exception_copy RaiseException 70443->70458 70444 4e62d8 31 API calls 70444->70458 70445 4630b0 4 API calls 70445->70458 70446 43b6a3 70448 4029f0 4 API calls 70446->70448 70447 4673c0 4 API calls 70447->70458 70448->70449 70449->70440 70450 46a190 4 API calls 70450->70458 70451 4c3160 19 API calls 70451->70458 70452 4144e0 24 API calls 70452->70458 70453 402d00 ___std_exception_copy ___std_exception_copy ___std_exception_copy RaiseException 70453->70458 70454 466ee0 ___std_exception_copy RaiseException 70454->70458 70455 4ea526 19 API calls 70455->70458 70456 4628f0 4 API calls 70456->70458 70457 462610 ___std_exception_copy ___std_exception_copy ___std_exception_copy RaiseException 70457->70458 70458->70432 70458->70433 70458->70435 70458->70436 70458->70438 70458->70442 70458->70443 70458->70444 70458->70445 70458->70446 70458->70447 70458->70450 70458->70451 70458->70452 70458->70453 70458->70454 70458->70455 70458->70456 70458->70457 70459 4a0800 19 API calls 70458->70459 70459->70458 70461 45dde5 70462 45ddec 70461->70462 70512 4e27cc 70462->70512 70464 45ddf9 70465 45de2b LoadLibraryA 70464->70465 70466 45de7e 70465->70466 70467 45de38 70465->70467 70515 416000 70466->70515 70470 45de72 GetProcAddress 70467->70470 70470->70466 70471 4655d0 4 API calls 70472 45decd 70471->70472 70521 40ad80 70472->70521 70474 45df6e 70475 45e082 __ehfuncinfo$??2@YAPAXIABUnothrow_t@std@@ 70474->70475 70477 45e0ad GetProcessId 70475->70477 70478 45e109 70477->70478 70489 45e140 70478->70489 70627 414870 GetPEB IsDebuggerPresent 70478->70627 70480 45e129 70482 45e1b1 70480->70482 70483 45e131 GetPEB 70480->70483 70481 45dee5 70481->70474 70484 45dfe6 MessageBoxA 70481->70484 70628 4149b0 GetTickCount64 Sleep GetTickCount64 70482->70628 70483->70489 70484->70474 70511 45dff7 70484->70511 70486 45e1b6 70487 45e1be GetPEB 70486->70487 70486->70489 70494 45e1d0 70487->70494 70492 45e35a 70489->70492 70489->70494 70490 45e298 70630 414a80 10 API calls 70490->70630 70496 45e2d0 70492->70496 70499 45e397 70492->70499 70493 45e29f 70631 414d20 IsDebuggerPresent IsProcessorFeaturePresent GetVolumeInformationA 70493->70631 70494->70489 70629 4149f0 GetModuleHandleA 70494->70629 70496->70492 70633 414ed0 20 API calls 70496->70633 70498 45e2bf GetPEB 70498->70496 70504 45e3ce 70499->70504 70538 4176b0 70499->70538 70500 45e2a6 70500->70498 70632 4148b0 GetUserNameA GetComputerNameA GetCurrentProcess TerminateProcess __fread_nolock 70500->70632 70503 45e2b7 70503->70492 70503->70498 70505 45e3ff __ehfuncinfo$??2@YAPAXIABUnothrow_t@std@@ 70504->70505 70509 45e43f SetThreadExecutionState 70505->70509 70507 45e483 SetThreadExecutionState 70508 45e48a 70507->70508 70510 45e4ba GetPEB 70508->70510 70509->70507 70509->70508 70510->70511 70513 4f307b __Getcoll 13 API calls 70512->70513 70514 4e27d6 70513->70514 70514->70464 70516 4debe0 __fread_nolock 70515->70516 70517 41603e GetModuleFileNameA 70516->70517 70518 416072 70517->70518 70518->70518 70519 402d00 4 API calls 70518->70519 70520 41608a 70519->70520 70520->70471 70522 46a0a0 4 API calls 70521->70522 70523 40adbf 70522->70523 70524 4e2a50 12 API calls 70523->70524 70525 40adf6 70524->70525 70526 4e6826 31 API calls 70525->70526 70528 40ae66 70525->70528 70527 40ae0a 70526->70527 70529 4e25db 11 API calls 70527->70529 70528->70481 70530 40ae10 70529->70530 70531 4e6826 31 API calls 70530->70531 70532 40ae1c 70531->70532 70533 4680a0 4 API calls 70532->70533 70534 40ae2f 70532->70534 70533->70534 70535 4eb2cf __fread_nolock 18 API calls 70534->70535 70536 40ae60 70535->70536 70537 4e62d8 31 API calls 70536->70537 70537->70528 70539 4176e5 70538->70539 70540 416000 5 API calls 70539->70540 70541 41779a __fread_nolock 70540->70541 70542 4177bb GetUserNameA 70541->70542 70543 4177f0 70542->70543 70544 402d00 4 API calls 70543->70544 70549 417b68 70543->70549 70545 417854 70544->70545 70546 468210 4 API calls 70545->70546 70547 41787e 70546->70547 70548 468210 4 API calls 70547->70548 70550 4178a1 70548->70550 70553 402d00 4 API calls 70549->70553 70567 418a4d 70549->70567 70575 41867e 70549->70575 70551 40b1a0 4 API calls 70550->70551 70552 4178b1 70551->70552 70556 415e30 12 API calls 70552->70556 70558 4178bd 70552->70558 70555 417c5b 70553->70555 70554 402d00 4 API calls 70568 41873c 70554->70568 70557 468210 4 API calls 70555->70557 70556->70558 70559 417c86 70557->70559 70558->70549 70558->70558 70561 418a48 70558->70561 70562 417918 70558->70562 70560 468210 4 API calls 70559->70560 70563 417ca9 70560->70563 70642 402400 ___std_exception_copy RaiseException 70561->70642 70566 468210 4 API calls 70562->70566 70565 40b1a0 4 API calls 70563->70565 70569 417cb9 70565->70569 70574 41796a 70566->70574 70643 402400 ___std_exception_copy RaiseException 70567->70643 70570 468210 4 API calls 70568->70570 70572 402d00 4 API calls 70569->70572 70578 417d0b 70569->70578 70583 4187ce 70570->70583 70573 417cf9 70572->70573 70576 415e30 12 API calls 70573->70576 70574->70567 70577 4655d0 4 API calls 70574->70577 70575->70554 70606 418900 70575->70606 70576->70578 70579 417a60 70577->70579 70578->70567 70578->70575 70580 417dcc 70578->70580 70581 40b110 31 API calls 70579->70581 70588 468210 4 API calls 70580->70588 70582 417a6d 70581->70582 70582->70549 70584 417a78 CopyFileA 70582->70584 70585 4e2a50 12 API calls 70583->70585 70584->70549 70586 417aa9 RegOpenKeyExA 70584->70586 70587 418825 70585->70587 70586->70549 70592 417b2e RegSetValueExA RegCloseKey 70586->70592 70591 4dc299 __Xtime_get_ticks 2 API calls 70587->70591 70587->70606 70594 417e20 70588->70594 70589 418a61 70589->70504 70593 418837 __ehfuncinfo$??2@YAPAXIABUnothrow_t@std@@ 70591->70593 70592->70549 70597 41884d 70593->70597 70594->70589 70595 4655d0 4 API calls 70594->70595 70598 417ef9 70595->70598 70596 4188a1 70601 4ea858 31 API calls 70596->70601 70597->70596 70599 402d00 4 API calls 70597->70599 70600 40b110 31 API calls 70598->70600 70599->70596 70602 417f06 70600->70602 70603 4188fa 70601->70603 70602->70575 70604 417f11 CopyFileA 70602->70604 70605 4e62d8 31 API calls 70603->70605 70604->70575 70607 417f4b 70604->70607 70605->70606 70606->70504 70608 402d00 4 API calls 70607->70608 70609 41801f 70608->70609 70610 468210 4 API calls 70609->70610 70611 4180cb 70610->70611 70612 468210 4 API calls 70611->70612 70614 41815b 70612->70614 70613 4655d0 4 API calls 70615 41828f 70613->70615 70614->70613 70634 4160b0 70615->70634 70627->70480 70628->70486 70629->70490 70630->70493 70631->70500 70632->70503 70633->70499 70644 4a40ab 70645 4a40c8 70644->70645 70647 4a15c6 70644->70647 70646 498900 19 API calls 70645->70646 70646->70647 70648 4a7806 70647->70648 70652 49ccf0 11 API calls __fread_nolock 70647->70652 70653 49ce20 15 API calls 70647->70653 70654 49d100 15 API calls 70647->70654 70652->70647 70653->70647 70654->70647 70655 43ca61 70656 43ca72 FreeLibrary 70655->70656 70657 43ca79 70655->70657 70656->70657 70658 440967 70661 440950 70658->70661 70659 4655d0 ___std_exception_copy ___std_exception_copy ___std_exception_copy RaiseException 70659->70661 70661->70658 70661->70659 70662 440bbd 70661->70662 70663 4403e0 70661->70663 70689 464980 70663->70689 70665 44047a 70666 464980 4 API calls 70665->70666 70667 4404b1 70666->70667 70697 464a30 70667->70697 70669 440504 70670 440604 70669->70670 70671 44080f 70669->70671 70672 464a30 15 API calls 70670->70672 70673 469120 2 API calls 70671->70673 70687 44061a CatchIt 70672->70687 70674 440814 70673->70674 70678 4daf38 2 API calls 70674->70678 70675 4406e9 70676 464a30 15 API calls 70675->70676 70679 4406f9 70676->70679 70677 464a30 15 API calls 70677->70687 70680 440823 70678->70680 70682 464a30 15 API calls 70679->70682 70707 4daef8 70680->70707 70684 440748 70682->70684 70688 4407a3 70684->70688 70713 402b70 ___std_exception_copy ___std_exception_copy ___std_exception_copy RaiseException CatchIt 70684->70713 70687->70675 70687->70677 70712 464820 ___std_exception_copy ___std_exception_copy ___std_exception_copy RaiseException CatchIt 70687->70712 70688->70661 70690 4649c7 70689->70690 70696 4649d7 CatchIt 70689->70696 70691 464a27 70690->70691 70692 4649ce 70690->70692 70715 402fb0 ___std_exception_copy RaiseException 70691->70715 70714 46eb00 ___std_exception_copy ___std_exception_copy RaiseException Concurrency::cancel_current_task 70692->70714 70696->70665 70698 464a67 70697->70698 70705 464a75 __fread_nolock 70697->70705 70699 464ac4 70698->70699 70700 464a6f 70698->70700 70717 402fb0 ___std_exception_copy RaiseException 70699->70717 70716 46eb00 ___std_exception_copy ___std_exception_copy RaiseException Concurrency::cancel_current_task 70700->70716 70705->70669 70718 4dac93 ___std_exception_copy std::invalid_argument::invalid_argument 70707->70718 70709 4daf09 70710 4de42b Concurrency::cancel_current_task RaiseException 70709->70710 70711 4daf17 70710->70711 70712->70687 70713->70684 70714->70696 70716->70705 70718->70709 70719 46f7e0 70724 4701c0 70719->70724 70721 46f83f 70722 46f7f3 70722->70721 70729 4786f0 70722->70729 70725 4701eb 70724->70725 70726 47020e 70725->70726 70727 4786f0 4 API calls 70725->70727 70726->70722 70728 47022b 70727->70728 70728->70722 70730 478732 70729->70730 70731 478879 70729->70731 70732 47874c 70730->70732 70735 47879a 70730->70735 70736 47878a 70730->70736 70741 402fb0 ___std_exception_copy RaiseException 70731->70741 70738 4dc8a2 2 API calls 70732->70738 70734 47887e 70742 4022f0 ___std_exception_copy RaiseException Concurrency::cancel_current_task 70734->70742 70739 4dc8a2 2 API calls 70735->70739 70740 47875f CatchIt 70735->70740 70736->70732 70736->70734 70738->70740 70739->70740 70740->70721 70742->70740 70743 4a46a2 70752 4a1270 70743->70752 70745 4a46b7 70751 4a47c2 70745->70751 70761 4983e0 70745->70761 70747 4a46f5 70748 498900 19 API calls 70747->70748 70747->70751 70749 4a4750 70748->70749 70749->70751 70773 496a10 11 API calls 70749->70773 70753 4a12bb 70752->70753 70758 4a12c7 70752->70758 70755 4a12c9 70753->70755 70756 4a12c2 70753->70756 70755->70758 70784 498bf0 11 API calls 70755->70784 70783 498570 15 API calls 70756->70783 70774 49c980 70758->70774 70760 4a1308 __fread_nolock 70760->70745 70764 4983fd __fread_nolock 70761->70764 70762 498555 70762->70747 70763 49846f 70765 48db50 11 API calls 70763->70765 70772 498504 70763->70772 70764->70762 70764->70763 70790 496080 70764->70790 70767 498539 70765->70767 70769 48db50 11 API calls 70767->70769 70768 498457 70768->70763 70808 4959b0 70768->70808 70770 498542 70769->70770 70770->70747 70772->70747 70773->70751 70775 49c9a2 70774->70775 70776 49ca48 70775->70776 70777 49c9e0 70775->70777 70780 49ca14 CatchIt 70775->70780 70779 48db50 11 API calls 70776->70779 70776->70780 70785 48dd90 70777->70785 70779->70780 70780->70760 70781 49c9f0 70781->70780 70782 48db50 11 API calls 70781->70782 70782->70780 70783->70758 70784->70758 70786 48dda5 CatchIt 70785->70786 70787 48dda9 70785->70787 70786->70787 70788 48db50 11 API calls 70786->70788 70787->70781 70789 48de84 70788->70789 70789->70781 70796 4960b4 70790->70796 70791 496144 70792 496436 70791->70792 70799 496172 __fread_nolock CatchIt 70791->70799 70794 48db50 11 API calls 70792->70794 70793 49643c 70793->70768 70794->70793 70795 49620b 70805 49624e 70795->70805 70813 491c30 70795->70813 70837 491d10 70795->70837 70796->70791 70796->70793 70796->70796 70797 49612d 70796->70797 70798 48db50 11 API calls 70797->70798 70800 496138 70798->70800 70799->70795 70802 48db50 11 API calls 70799->70802 70800->70768 70801 48db50 11 API calls 70803 49642a 70801->70803 70802->70795 70803->70768 70804 496306 70804->70768 70805->70801 70805->70804 70809 4959c6 __fread_nolock 70808->70809 70810 4959f3 70809->70810 70812 491300 4 API calls 70809->70812 70810->70763 70811 4959e1 70811->70763 70812->70811 70817 491c4c 70813->70817 70814 491c7a 70814->70805 70815 491d2e CreateFileA 70818 491d34 70815->70818 70816 491d26 CreateFileW 70816->70818 70817->70814 70817->70815 70817->70816 70819 491d3b 70818->70819 70820 491d7a 70818->70820 70821 4eaec6 __freea 11 API calls 70819->70821 70863 492080 70820->70863 70823 491d44 70821->70823 70824 491d6e 70823->70824 70826 491c30 18 API calls 70823->70826 70824->70805 70825 491ea0 70828 4eaec6 __freea 11 API calls 70825->70828 70827 491d64 70826->70827 70827->70805 70828->70814 70829 491e81 GetDiskFreeSpaceA 70832 491e98 70829->70832 70830 491dcc 70830->70825 70834 491e64 70830->70834 70836 491e20 GetDiskFreeSpaceW 70830->70836 70835 4eaec6 __freea 11 API calls 70832->70835 70833 491e7c 70833->70829 70834->70829 70834->70833 70835->70825 70836->70832 70838 491d19 70837->70838 70839 491d3d 70837->70839 70840 491d2e CreateFileA 70838->70840 70841 491d26 CreateFileW 70838->70841 70842 491d44 70839->70842 70843 4eaec6 __freea 11 API calls 70839->70843 70844 491d34 70840->70844 70841->70844 70845 491d6e 70842->70845 70848 491c30 22 API calls 70842->70848 70843->70842 70846 491d3b 70844->70846 70847 491d7a 70844->70847 70845->70805 70849 4eaec6 __freea 11 API calls 70846->70849 70851 492080 18 API calls 70847->70851 70850 491d64 70848->70850 70849->70842 70850->70805 70856 491dcc 70851->70856 70852 491ea0 70853 4eaec6 __freea 11 API calls 70852->70853 70854 491ebe 70853->70854 70854->70805 70855 491e81 GetDiskFreeSpaceA 70858 491e98 70855->70858 70856->70852 70860 491e64 70856->70860 70862 491e20 GetDiskFreeSpaceW 70856->70862 70861 4eaec6 __freea 11 API calls 70858->70861 70859 491e7c 70859->70855 70860->70855 70860->70859 70861->70852 70862->70858 70864 492094 70863->70864 70865 4920ca 70864->70865 70866 4920a0 GetVersionExA 70864->70866 70867 49210f GetFullPathNameA 70865->70867 70868 4920d6 GetFullPathNameW 70865->70868 70866->70865 70870 49211e 70867->70870 70869 4920e8 70868->70869 70872 492127 70869->70872 70873 4920f1 GetFullPathNameW 70869->70873 70871 49213c GetFullPathNameA 70870->70871 70870->70872 70875 4eaec6 __freea 11 API calls 70871->70875 70874 4eaec6 __freea 11 API calls 70872->70874 70876 4eaec6 __freea 11 API calls 70873->70876 70877 49212d 70874->70877 70880 49210c 70875->70880 70878 492102 70876->70878 70877->70830 70885 4911c0 13 API calls __freea 70878->70885 70881 4eaec6 __freea 11 API calls 70880->70881 70882 49215f 70881->70882 70882->70877 70883 4eaec6 __freea 11 API calls 70882->70883 70884 492180 70883->70884 70884->70830 70885->70880 70886 41f3eb 70887 41f3d0 CryptUnprotectData 70886->70887 70889 41f3f6 70886->70889 70887->70886 70887->70889 70888 41f41a 70889->70888 70890 41f411 LocalFree 70889->70890 70890->70888 70891 4a5bba 70892 4a5be0 70891->70892 70895 4a15c6 70891->70895 70893 499230 15 API calls 70892->70893 70892->70895 70893->70895 70894 4a7806 70895->70894 70899 49ccf0 11 API calls __fread_nolock 70895->70899 70900 49ce20 15 API calls 70895->70900 70901 49d100 15 API calls 70895->70901 70899->70895 70900->70895 70901->70895 70902 414233 70907 41424c 70902->70907 70904 414480 std::_Throw_Cpp_error 70905 414487 std::_Throw_Cpp_error 70904->70905 70906 4144a0 70905->70906 70908 414328 CopyFileA 70907->70908 70916 414409 70907->70916 70909 414341 70908->70909 70911 414353 70908->70911 70917 413f60 GetLastError 70909->70917 70911->70904 70911->70905 70912 4655d0 4 API calls 70911->70912 70914 414357 70911->70914 70913 4143ef 70912->70913 70913->70916 70935 472880 ___std_exception_copy ___std_exception_copy ___std_exception_copy RaiseException Concurrency::cancel_current_task 70913->70935 70936 402400 ___std_exception_copy RaiseException 70916->70936 70918 4140d6 CopyFileA 70917->70918 70923 413f9e __fread_nolock 70917->70923 70919 414130 70918->70919 70920 4140f0 GetLastError 70918->70920 70919->70911 70921 4140f7 70920->70921 70922 41411c 70920->70922 70924 4140fe CopyFileA 70921->70924 70922->70911 70925 413ffd RmStartSession 70923->70925 70924->70911 70926 4140b1 RmEndSession SetLastError 70925->70926 70927 41401d 70925->70927 70929 4140d0 70926->70929 70928 464f80 2 API calls 70927->70928 70930 41402d RmRegisterResources 70928->70930 70929->70918 70931 41405a RmGetList 70930->70931 70932 41409f 70930->70932 70933 414082 70931->70933 70932->70926 70933->70932 70934 414090 RmShutdown 70933->70934 70934->70932 70935->70916 70937 4f363b 70941 4f3648 70937->70941 70938 4f3654 70939 4f3702 70944 4f3731 70939->70944 70941->70938 70941->70939 70954 4f68c4 11 API calls __freea 70941->70954 70945 4f3740 70944->70945 70946 4f37e6 70945->70946 70947 4f3753 70945->70947 70949 4f282c 29 API calls 70946->70949 70948 4f3770 70947->70948 70952 4f3797 70947->70952 70950 4f282c 29 API calls 70948->70950 70951 4f3713 70949->70951 70950->70951 70952->70951 70955 4eb7cf 70952->70955 70954->70939 70956 4eb7e3 70955->70956 70957 4eb627 2 API calls 70956->70957 70958 4eb7f8 70957->70958 70958->70951 70959 45d9f0 GetCursorPos 70960 45da10 GetCursorPos 70959->70960 70961 45daef GetPEB 70960->70961 70963 45da25 70960->70963 70961->70963 70962 45da33 GetPEB 70962->70963 70963->70961 70963->70962 70964 45db68 Sleep 70963->70964 70965 45daa8 Sleep GetCursorPos 70963->70965 70966 45db94 70963->70966 70964->70960 70965->70961 70965->70963 70967 4f3eb8 70968 4f3ece 70967->70968 70970 4f3ef7 70968->70970 70971 4ebee3 70968->70971 70974 4eb88b 70971->70974 70973 4ebefe 70973->70970 70977 4eb897 70974->70977 70975 4eb89e 70990 4ea92f 11 API calls __dosmaperr 70975->70990 70977->70975 70978 4eb8c9 70977->70978 70981 4ebe75 70978->70981 70980 4eb8a3 70980->70973 70982 4e63d7 __wsopen_s 13 API calls 70981->70982 70983 4ebe97 70982->70983 70984 4e63ba _strftime 14 API calls 70983->70984 70985 4ebea4 70984->70985 70986 4ebeab 70985->70986 70991 4ebf03 70985->70991 70988 4ebedd 70986->70988 70989 4f4253 __freea 11 API calls 70986->70989 70988->70980 70989->70988 70990->70980 70992 4ebf20 70991->70992 70993 4ebf4e 70992->70993 70994 4ebf35 70992->70994 70997 4ebf5c 70993->70997 70998 4ebf73 70993->70998 71025 4ea91c 11 API calls __dosmaperr 70994->71025 70996 4ebf3a 71026 4ea92f 11 API calls __dosmaperr 70996->71026 71027 4ea91c 11 API calls __dosmaperr 70997->71027 71024 4ebbbc CreateFileW 70998->71024 71002 4ebf47 71002->70986 71003 4ebf61 71028 4ea92f 11 API calls __dosmaperr 71003->71028 71004 4ec029 GetFileType 71007 4ec034 GetLastError 71004->71007 71017 4ec07b 71004->71017 71006 4ebffe GetLastError 71030 4ea8d5 11 API calls __dosmaperr 71006->71030 71031 4ea8d5 11 API calls __dosmaperr 71007->71031 71008 4ebfac 71008->71004 71008->71006 71029 4ebbbc CreateFileW 71008->71029 71012 4ec042 CloseHandle 71012->70996 71014 4ec06b 71012->71014 71013 4ebff1 71013->71004 71013->71006 71032 4ea92f 11 API calls __dosmaperr 71014->71032 71016 4ec070 71016->70996 71017->71002 71018 4ec1a7 CloseHandle 71017->71018 71033 4ebbbc CreateFileW 71018->71033 71020 4ec1d2 71021 4ec1dc GetLastError 71020->71021 71023 4ec1e8 71020->71023 71034 4ea8d5 11 API calls __dosmaperr 71021->71034 71023->71002 71024->71008 71025->70996 71026->71002 71027->71003 71028->70996 71029->71013 71030->70996 71031->71012 71032->71016 71033->71020 71034->71023 71035 4b3cb0 71037 4b3cd2 CatchIt 71035->71037 71039 4b3cdb 71035->71039 71036 48dd90 11 API calls 71038 4b3e4a 71036->71038 71037->71036 71037->71038 71037->71039 71038->71039 71040 48db50 11 API calls 71038->71040 71041 4b3edd 71040->71041 71042 4ce7f0 71051 4b3540 71042->71051 71045 4ce91b 71095 4ce6b0 11 API calls 71045->71095 71046 4ce812 CatchIt 71050 4ce94e 71046->71050 71094 4ce6b0 11 API calls 71046->71094 71048 4ce937 71096 4ce6b0 11 API calls 71048->71096 71053 4b3559 CatchIt 71051->71053 71052 4b358a 71052->71046 71053->71052 71054 4b365d 71053->71054 71058 4b3659 71053->71058 71097 4c2b00 71053->71097 71055 48db50 11 API calls 71054->71055 71056 4b3c79 71054->71056 71055->71052 71056->71046 71058->71054 71059 4b3707 __fread_nolock 71058->71059 71059->71052 71060 4b37e3 71059->71060 71103 49e100 11 API calls 71059->71103 71064 4b3812 71060->71064 71104 49e080 11 API calls 71060->71104 71063 4b387b 71066 4b38e9 71063->71066 71106 49e080 11 API calls 71063->71106 71064->71063 71105 49e080 11 API calls 71064->71105 71068 4b3938 71066->71068 71107 49e080 11 API calls 71066->71107 71070 4b3991 71068->71070 71108 49e080 11 API calls 71068->71108 71072 4b39da 71070->71072 71109 49e080 11 API calls 71070->71109 71074 4b3a5b 71072->71074 71075 4b3a34 71072->71075 71078 4b3a3f 71074->71078 71111 49e080 11 API calls 71074->71111 71075->71078 71110 49e080 11 API calls 71075->71110 71079 4b3ac7 71078->71079 71112 49e080 11 API calls 71078->71112 71081 4b3b38 71079->71081 71082 4b3b14 71079->71082 71114 49e380 15 API calls 71081->71114 71113 49e380 15 API calls 71082->71113 71085 4b3b2b 71086 4b3b63 71085->71086 71115 49e080 11 API calls 71085->71115 71088 4b3bad 71086->71088 71116 49e080 11 API calls 71086->71116 71090 4b3bfc 71088->71090 71117 49e080 11 API calls 71088->71117 71118 49e100 11 API calls 71090->71118 71093 4b3c51 71093->71046 71094->71045 71095->71048 71096->71050 71099 4c2b30 71097->71099 71098 4c2b6b 71098->71058 71099->71098 71101 4c2b85 71099->71101 71119 4c2740 71099->71119 71102 4b2c90 11 API calls 71101->71102 71102->71098 71103->71060 71104->71064 71105->71063 71106->71066 71107->71068 71108->71070 71109->71072 71110->71078 71111->71078 71112->71079 71113->71085 71114->71085 71115->71086 71116->71088 71117->71090 71118->71093 71132 4c24b0 71119->71132 71121 4c27e7 71121->71099 71122 4c27a6 71122->71121 71123 498900 19 API calls 71122->71123 71125 4c27fd 71122->71125 71123->71125 71124 4c2958 71124->71121 71153 498a50 11 API calls 71124->71153 71125->71121 71125->71124 71142 4bf050 71125->71142 71128 4c2a42 71129 48db50 11 API calls 71128->71129 71130 4c2a66 71128->71130 71129->71130 71130->71124 71131 4b2c90 11 API calls 71130->71131 71131->71124 71133 4c2528 71132->71133 71134 4c24d9 71132->71134 71135 4ea4e7 18 API calls 71133->71135 71139 4c2539 71133->71139 71134->71122 71136 4c2594 71135->71136 71137 4bf050 28 API calls 71136->71137 71141 4c25b0 71137->71141 71138 48db50 11 API calls 71140 4c268a 71138->71140 71139->71122 71140->71122 71141->71138 71141->71139 71148 4bf096 __fread_nolock CatchIt 71142->71148 71143 4bf1dd __fread_nolock 71144 4c3160 19 API calls 71143->71144 71147 4bf627 71143->71147 71150 48db50 11 API calls 71143->71150 71152 4c24b0 28 API calls 71143->71152 71154 4a0800 71143->71154 71144->71143 71145 48db50 11 API calls 71151 4bf6b2 CatchIt 71145->71151 71146 4dc8a2 2 API calls 71146->71148 71147->71145 71147->71151 71148->71143 71148->71146 71150->71143 71151->71128 71152->71143 71153->71121 71155 4a0c59 71154->71155 71160 4a0819 71154->71160 71155->71143 71156 4c3160 19 API calls 71156->71160 71157 48db50 11 API calls 71159 4a0bba 71157->71159 71158 4a0b5c 71158->71157 71158->71159 71159->71143 71160->71156 71160->71158 71160->71159 71162 49ce20 15 API calls 71160->71162 71162->71160 71163 41f5bc 71164 41f5d0 71163->71164 71165 402d00 4 API calls 71164->71165 71177 41f610 71164->71177 71166 41f665 71165->71166 71167 41f7b2 71166->71167 71168 41f722 71166->71168 71181 402410 ___std_exception_copy ___std_exception_copy ___std_exception_copy RaiseException __fread_nolock 71167->71181 71178 402410 ___std_exception_copy ___std_exception_copy ___std_exception_copy RaiseException __fread_nolock 71168->71178 71171 41f7d2 71182 402410 ___std_exception_copy ___std_exception_copy ___std_exception_copy RaiseException __fread_nolock 71171->71182 71172 41f748 71179 402410 ___std_exception_copy ___std_exception_copy ___std_exception_copy RaiseException __fread_nolock 71172->71179 71175 41f75c 71180 41ef10 85 API calls 71175->71180 71178->71172 71179->71175 71180->71177 71181->71171 71182->71177 71183 4d9b30 71184 4d9b4d 71183->71184 71185 4d9b43 71183->71185 71186 48db50 11 API calls 71184->71186 71187 4d9b63 71184->71187 71186->71187

                                                                                                                                                                              Executed Functions

                                                                                                                                                                              Function 0040E7B0 Relevance: 219.9, APIs: 12, Strings: 113, Instructions: 1182fileCOMMON
                                                                                                                                                                              Download Yara Rule
                                                                                                                                                                              APIs
                                                                                                                                                                              • FindFirstFileA.KERNEL32(00000000,7F7A790F,?,7F7A790E,00445E27,00000000,7F7A790E,7F7A790F,74DF3100,?), ref: 0040E929
                                                                                                                                                                              • CreateDirectoryA.KERNEL32(00000000,00000000,0000002E,0000002F,?,?,?,?,0051DAFC,00000001,0000002E,0000002F,?,00000000,00445E27), ref: 0040EBE2
                                                                                                                                                                              • CopyFileA.KERNEL32(00000000,00000000,00000000), ref: 0040EC55
                                                                                                                                                                              • FindNextFileA.KERNEL32(00000000,?), ref: 0040EC6B
                                                                                                                                                                              • FindClose.KERNEL32(00000000), ref: 0040EC7B
                                                                                                                                                                              • GetLastError.KERNEL32 ref: 0040EC81
                                                                                                                                                                              • GetLastError.KERNEL32 ref: 0040EC9F
                                                                                                                                                                                • Part of subcall function 0040B1A0: GetFileAttributesA.KERNELBASE(00000000,?,?,0045E8D7,00000000,00000000,?,00000000), ref: 0040B1FC
                                                                                                                                                                                • Part of subcall function 0040B1A0: GetLastError.KERNEL32(?,0045E8D7,00000000,00000000,?,00000000), ref: 0040B207
                                                                                                                                                                              • SHGetFolderPathA.SHELL32(00000000,0000001A,00000000,00000000,?,?,74DF3100,?), ref: 0040EE16
                                                                                                                                                                              • CreateDirectoryA.KERNEL32(?,00000000,?,2121120E,?,01002F31,2121120E,2121120F,?,?,?,2121120E,2121120F,?,74DF3100,?), ref: 0040F00C
                                                                                                                                                                              • CreateDirectoryA.KERNEL32(00000000,00000000,?,313A1A0E,?,?,313A1A0E,313A1A0F,?,313A1A0E,?,00000000,313A1A0E,313A1A0F,?,2121120E), ref: 0040F16D
                                                                                                                                                                                • Part of subcall function 0040B1A0: std::_Throw_Cpp_error.LIBCPMT ref: 0040B24F
                                                                                                                                                                                • Part of subcall function 0040B1A0: std::_Throw_Cpp_error.LIBCPMT ref: 0040B260
                                                                                                                                                                              • CreateDirectoryA.KERNEL32(00000000,00000000,?,363B1F0E,?,?,363B1F0E,363B1F0F,?,363B1F0E,?,00000000,363B1F0E,363B1F0F,?,313A1A0E), ref: 0040F412
                                                                                                                                                                              • CreateDirectoryA.KERNEL32(00000000,00000000,?,?,?,?,?,?,?,?,?,00000000,?,?,?,363B1F0E), ref: 0040F6C0
                                                                                                                                                                              Strings
                                                                                                                                                                              Memory Dump Source
                                                                                                                                                                              • Source File: 00000000.00000002.2254819923.0000000000400000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                                              Joe Sandbox IDA Plugin
                                                                                                                                                                              • Snapshot File: hcaresult_0_2_400000_file.jbxd
                                                                                                                                                                              Yara matches
                                                                                                                                                                              Similarity
                                                                                                                                                                              • API ID: CreateDirectory$File$ErrorFindLast$Cpp_errorThrow_std::_$AttributesCloseCopyFirstFolderNextPath
                                                                                                                                                                              • String ID: "64:$$39$$39$'$'^D$)$.$.$.4.<$.4.<$.4.<$.4.<$.4.<$.4.<$.4.<$.4.<$.4.<$.4.<$.4.<$.4.<$12*y$12*y$2"+$3%7$3%=,$3/==$3/==$3/==$3/==$3/==$3/==$3/==$3/==$3/==$3/==$3/==$3470$35$4$4$5#*,$5#*,$5#*6$522$5817$5817$5817$5817$5817$5817$5817$6$66"6$6:3<$7$7$7470$751$79;<$7;x$7;x$7;x$7;x$7;x$7;x$7;x$7;x$7;x$7;x$7;x$7;x$8850$8>,<$8>.)$9%!$9%!$9453$9:$9:$9:$9:$9:$9:$9:$9:$9:$9:$9:$9>6$9>6$9>6$9>6$:2,*$:2,*$:2,*$:2,w$:2,w$:2,w$;>;$=8$=>$>$>.$>2*$>2*w$>9$>:($>:($?9$?9$?9$?9;6$\
                                                                                                                                                                              • API String ID: 1240817490-3540293368
                                                                                                                                                                              • Opcode ID: 92d92905132e7525661a1d4818300b2f62ef88997ee6daaf2b54f7f5e58fcf34
                                                                                                                                                                              • Instruction ID: 949b56546ccaf90be949e229be89ec1215a9c62a6db10ba406891ceaffc337b1
                                                                                                                                                                              • Opcode Fuzzy Hash: 92d92905132e7525661a1d4818300b2f62ef88997ee6daaf2b54f7f5e58fcf34
                                                                                                                                                                              • Instruction Fuzzy Hash: D7B2F470C00288DEDF14DFA4C9587EEBBB4AF15308F1482AEE4457B2D2D7785A89CB95
                                                                                                                                                                              Uniqueness

                                                                                                                                                                              Uniqueness Score: -1.00%

                                                                                                                                                                              Function 00442940 Relevance: 218.3, APIs: 40, Strings: 83, Instructions: 3075fileCOMMON
                                                                                                                                                                              Download Yara Rule
                                                                                                                                                                              APIs
                                                                                                                                                                              • CreateDirectoryA.KERNELBASE(00000000,00000000,00000000), ref: 00442C53
                                                                                                                                                                              • CreateDirectoryA.KERNELBASE(00000000,00000000), ref: 00442CAF
                                                                                                                                                                              • CopyFileA.KERNEL32(00000000,00000000,00000000), ref: 004434EF
                                                                                                                                                                              • CopyFileA.KERNEL32(00000000,00000000,00000000), ref: 00443639
                                                                                                                                                                              • CreateDirectoryA.KERNELBASE(00000000,00000000), ref: 004436EF
                                                                                                                                                                              • CopyFileA.KERNEL32(00000000,00000000,00000000), ref: 0044383A
                                                                                                                                                                              • CreateDirectoryA.KERNELBASE(00000000,00000000), ref: 004438D6
                                                                                                                                                                              • CopyFileA.KERNEL32(00000000,00000000,00000000), ref: 00443A09
                                                                                                                                                                              • CreateDirectoryA.KERNELBASE(00000000,00000000), ref: 00443AA4
                                                                                                                                                                              • CopyFileA.KERNEL32(00000000,00000000,00000000), ref: 00443BFE
                                                                                                                                                                              • CreateDirectoryA.KERNELBASE(00000000,00000000), ref: 00443C97
                                                                                                                                                                              • CopyFileA.KERNEL32(00000000,00000000,00000000), ref: 00443ED8
                                                                                                                                                                              • CreateDirectoryA.KERNELBASE(00000000,00000000), ref: 00444039
                                                                                                                                                                              • CopyFileA.KERNEL32(00000000,00000000,00000000), ref: 00444292
                                                                                                                                                                              • CreateDirectoryA.KERNEL32(00000000,00000000,?,?,00000000), ref: 00444416
                                                                                                                                                                              • CreateDirectoryA.KERNELBASE(00000000,00000000), ref: 0044483E
                                                                                                                                                                              • CreateDirectoryA.KERNELBASE(00000000,00000000), ref: 00444898
                                                                                                                                                                              • CreateDirectoryA.KERNELBASE(00000000,00000000), ref: 00444A1E
                                                                                                                                                                              • CreateDirectoryA.KERNELBASE(00000000,00000000), ref: 00444CE4
                                                                                                                                                                              • CreateDirectoryA.KERNEL32(00000000,00000000), ref: 00444E4E
                                                                                                                                                                              • CreateDirectoryA.KERNELBASE(00000000,00000000), ref: 00444B76
                                                                                                                                                                                • Part of subcall function 0040B1A0: std::_Throw_Cpp_error.LIBCPMT ref: 0040B24F
                                                                                                                                                                                • Part of subcall function 0040B1A0: std::_Throw_Cpp_error.LIBCPMT ref: 0040B260
                                                                                                                                                                              • CreateDirectoryA.KERNELBASE(00000000,00000000), ref: 00445C65
                                                                                                                                                                              • CreateDirectoryA.KERNELBASE(00000000,00000000), ref: 00445CC0
                                                                                                                                                                              • CopyFileA.KERNEL32(00000000,00000000,00000000), ref: 0044337F
                                                                                                                                                                                • Part of subcall function 0040E7B0: FindFirstFileA.KERNEL32(00000000,7F7A790F,?,7F7A790E,00445E27,00000000,7F7A790E,7F7A790F,74DF3100,?), ref: 0040E929
                                                                                                                                                                              • SHGetFolderPathA.SHELL32(00000000,0000001A,00000000,00000000,?), ref: 00442CE0
                                                                                                                                                                                • Part of subcall function 0040B1A0: GetFileAttributesA.KERNELBASE(00000000,?,?,0045E8D7,00000000,00000000,?,00000000), ref: 0040B1FC
                                                                                                                                                                                • Part of subcall function 0040B1A0: GetLastError.KERNEL32(?,0045E8D7,00000000,00000000,?,00000000), ref: 0040B207
                                                                                                                                                                              • CreateDirectoryA.KERNELBASE(00000000,00000000), ref: 00442E08
                                                                                                                                                                              • SHGetFolderPathA.SHELL32(00000000,0000001A,00000000,00000000,?), ref: 00442E37
                                                                                                                                                                              • CopyFileA.KERNEL32(00000000,00000000,00000000), ref: 00442F2F
                                                                                                                                                                              • CreateDirectoryA.KERNELBASE(00000000,00000000), ref: 00443029
                                                                                                                                                                              • CreateDirectoryA.KERNELBASE(00000000,00000000), ref: 00443087
                                                                                                                                                                              • CopyFileA.KERNEL32(00000000,00000000,00000000), ref: 004431B8
                                                                                                                                                                              • CreateDirectoryA.KERNELBASE(00000000,00000000), ref: 0044324A
                                                                                                                                                                              Strings
                                                                                                                                                                              Memory Dump Source
                                                                                                                                                                              • Source File: 00000000.00000002.2254819923.0000000000400000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                                              Joe Sandbox IDA Plugin
                                                                                                                                                                              • Snapshot File: hcaresult_0_2_400000_file.jbxd
                                                                                                                                                                              Yara matches
                                                                                                                                                                              Similarity
                                                                                                                                                                              • API ID: CreateDirectory$File$Copy$Cpp_errorFolderPathThrow_std::_$AttributesErrorFindFirstLast
                                                                                                                                                                              • String ID: 1,)$ghi$! 2;$!#7)$!'14;y=!?$"83<$";=w$";=w$"?=+$#9;1$$'4<$%1$%26>$&+$&2$)u$0$)u$0$)u(%$)u6.$*$+$.$.4.<$.4.<$.4.<$0(33$0(33$0+$0>?$0>?$0>?$0>?w$0>?w$11$1<:3$1>6$2$2$315$315$3$$34*8$3:$3>2)$3y<8$4(r)$4>($4>($61$6:$6:$759*$759*$759*$7:$7;x$7;x$7;x$864$864$9"6-$9"6-$9"6-$9"6-$9"6-$9:$9:$9:$;26-$</$?($?($?($?)$?)/$?0$_$k$t224$w Y_[]$|';-$|76$|::<
                                                                                                                                                                              • API String ID: 2574188035-1442773133
                                                                                                                                                                              • Opcode ID: e0e9df481a5505c13180842b4de196b9cbc88ea6b0bb66655e264c48779144b7
                                                                                                                                                                              • Instruction ID: 381145703412e6fb88b60a60e01735f5d7b95eb576607faa1d3520efd2827bc4
                                                                                                                                                                              • Opcode Fuzzy Hash: e0e9df481a5505c13180842b4de196b9cbc88ea6b0bb66655e264c48779144b7
                                                                                                                                                                              • Instruction Fuzzy Hash: 56639E70C04298DADB21EB65CD557DEBBB4AF21308F4441DAD449772C2EBB81B88CF96
                                                                                                                                                                              Uniqueness

                                                                                                                                                                              Uniqueness Score: -1.00%

                                                                                                                                                                              Function 0045EA9C Relevance: 200.4, APIs: 39, Strings: 74, Instructions: 2609threadsleepsynchronizationCOMMON
                                                                                                                                                                              Download Yara Rule
                                                                                                                                                                              APIs
                                                                                                                                                                              • CreateMutexA.KERNEL32(00000000,00000001,00000000), ref: 0045EB04
                                                                                                                                                                              • GetLastError.KERNEL32 ref: 0045EB19
                                                                                                                                                                              • Sleep.KERNEL32(00000529), ref: 0045EB3A
                                                                                                                                                                              • Sleep.KERNEL32(0000002F), ref: 0045EBAA
                                                                                                                                                                              • shutdown.WS2_32(00000002), ref: 0045EBDA
                                                                                                                                                                              • closesocket.WS2_32 ref: 0045EBE6
                                                                                                                                                                              • WSACleanup.WS2_32 ref: 0045EBEC
                                                                                                                                                                              • __ehfuncinfo$??2@YAPAXIABUnothrow_t@std@@@Z.LIBCMT ref: 0045ECA1
                                                                                                                                                                              • Sleep.KERNELBASE(00000065), ref: 0045EE48
                                                                                                                                                                              • Sleep.KERNEL32(00000000,?,?), ref: 0045EEFF
                                                                                                                                                                              • GetModuleHandleA.KERNEL32(ntdll.dll), ref: 0045F20A
                                                                                                                                                                              • GetProcAddress.KERNEL32(00000000,00000000), ref: 0045F212
                                                                                                                                                                              • GetCurrentProcess.KERNEL32(00000000), ref: 0045F220
                                                                                                                                                                              • OutputDebugStringA.KERNELBASE(#@#^@#TGRERTERYERY,?,?,00000018,0000000A,Function_00002990,00000000,?,?,?,00000000,00000000,00000000,00000000,00000000,00000000), ref: 0045F234
                                                                                                                                                                              • OutputDebugStringA.KERNELBASE(ewetwertyer eytdryrtdy,00000000,00000000), ref: 0045F2F5
                                                                                                                                                                              • OutputDebugStringA.KERNEL32(td ydrthrhfty,00000000), ref: 0045F4D0
                                                                                                                                                                              • OutputDebugStringA.KERNELBASE(45 hgfch rtdyt gfch,0051D9CA,?,?), ref: 0045FEA5
                                                                                                                                                                              • CreateThread.KERNELBASE(00000000,00000000,00450430,00000000,00000000,00000000), ref: 0045FED0
                                                                                                                                                                              • CreateThread.KERNELBASE(00000000,00000000,00455FC0,00000000,00000000,00000000), ref: 0045FEE6
                                                                                                                                                                              • WaitForSingleObject.KERNEL32(00000000,00000000,00000000,00000000,?,?,?,?,?,0051DAE8,00000001,?,?), ref: 0046008D
                                                                                                                                                                              • CreateThread.KERNELBASE(00000000,00000000,Function_000564A0,00000000,00000000,00000000), ref: 00460280
                                                                                                                                                                              • CreateThread.KERNELBASE(00000000,00000000,Function_00058520,00000000,00000000,00000000), ref: 00460294
                                                                                                                                                                              • CreateThread.KERNELBASE(00000000,00000000,Function_0005A490,00000000,00000000,00000000), ref: 004602AB
                                                                                                                                                                              • CreateThread.KERNELBASE(00000000,00000000,Function_0005B4B0,00000000,00000000,00000000), ref: 004602C2
                                                                                                                                                                              • CreateThread.KERNELBASE(00000000,00000000,Function_0005CAE0,00000000,00000000,00000000), ref: 004602D9
                                                                                                                                                                              • CreateThread.KERNELBASE(00000000,00000000,Function_0005CC40,00000000,00000000,00000000), ref: 004602ED
                                                                                                                                                                              • CreateThread.KERNELBASE(00000000,00000000,Function_0005D7B0,00000000,00000000,00000000), ref: 00460301
                                                                                                                                                                              • WaitForSingleObject.KERNEL32(?,000493E0), ref: 004604BE
                                                                                                                                                                              • WaitForSingleObject.KERNEL32(?,000493E0), ref: 0046056B
                                                                                                                                                                              • OutputDebugStringA.KERNELBASE( drthdrthdrthdr hrtd hr,0051D9CA,?,?), ref: 00460FAA
                                                                                                                                                                              • CloseHandle.KERNEL32(?), ref: 004607EF
                                                                                                                                                                                • Part of subcall function 00462D20: Concurrency::cancel_current_task.LIBCPMT ref: 00463084
                                                                                                                                                                              • CreateMutexA.KERNEL32(00000000,00000001,00000000), ref: 004610D8
                                                                                                                                                                              • GetLastError.KERNEL32 ref: 004610ED
                                                                                                                                                                              • Sleep.KERNEL32(00007530), ref: 00461109
                                                                                                                                                                              • Sleep.KERNEL32(00000064), ref: 00461174
                                                                                                                                                                              • Sleep.KERNELBASE(00000BB8,?,?), ref: 004611A9
                                                                                                                                                                              • shutdown.WS2_32(00000002), ref: 004611B3
                                                                                                                                                                              • closesocket.WS2_32 ref: 004611BF
                                                                                                                                                                              • Sleep.KERNEL32(000003E8,?,?), ref: 004611D7
                                                                                                                                                                              Strings
                                                                                                                                                                              Memory Dump Source
                                                                                                                                                                              • Source File: 00000000.00000002.2254819923.0000000000400000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                                              Joe Sandbox IDA Plugin
                                                                                                                                                                              • Snapshot File: hcaresult_0_2_400000_file.jbxd
                                                                                                                                                                              Yara matches
                                                                                                                                                                              Similarity
                                                                                                                                                                              • API ID: Create$Thread$Sleep$DebugOutputString$ObjectSingleWait$ErrorHandleLastMutexclosesocketshutdown$AddressCleanupCloseConcurrency::cancel_current_taskCurrentModuleProcProcessUnothrow_t@std@@@__ehfuncinfo$??2@
                                                                                                                                                                              • String ID: 95$!(7$#?$$;+$$;+$094$1,)$3+$>00$ drthdrthdrthdr hrtd hr$!?=6$!?=6$#@#^@#TGRERTERYERY$$28 3$$28 3$$28 3$'$' 1$)/3/$.$1$4$45 hgfch rtdyt gfch$5!57$5!57$5!57$5!57$5!57$5!57$5!57$5!57$5!57$6>(.$8$$:$:$<290$<290$<290$>!6:$><3<$><3<8$$?($?>2$?>2$PnE$_Y$_Y$_Y$ewetwertyer eytdryrtdy$h0u$hHBT$hXCT$hhCT$hxCT$jjj$jjj$n1&k$n1&k$n1&k$n1&k$n1&k$n1&k$ntdll.dll$td ydrthrhfty$x345$x345$|)=%$|)=%$0w$3f$S2$[7$wc
                                                                                                                                                                              • API String ID: 2410146291-3778327771
                                                                                                                                                                              • Opcode ID: a646b8ba70172d533d14d870466a7871b9c6d1fc2ec42d0352852053597e7a94
                                                                                                                                                                              • Instruction ID: b7f19cb37b0b56de54bd6a9fc88ff5451383e5df5d0154206795b38d17b259f9
                                                                                                                                                                              • Opcode Fuzzy Hash: a646b8ba70172d533d14d870466a7871b9c6d1fc2ec42d0352852053597e7a94
                                                                                                                                                                              • Instruction Fuzzy Hash: E943CF30900258DBCB25DF68C895BEEBBB0AF15308F1441DAD4456B392EB74AF49CF96
                                                                                                                                                                              Uniqueness

                                                                                                                                                                              Uniqueness Score: -1.00%

                                                                                                                                                                              Function 00446020 Relevance: 139.6, APIs: 13, Strings: 65, Instructions: 3085registryfilecomCOMMON
                                                                                                                                                                              Download Yara Rule
                                                                                                                                                                              APIs
                                                                                                                                                                                • Part of subcall function 0040B1A0: GetFileAttributesA.KERNELBASE(00000000,?,?,0045E8D7,00000000,00000000,?,00000000), ref: 0040B1FC
                                                                                                                                                                                • Part of subcall function 0040B1A0: GetLastError.KERNEL32(?,0045E8D7,00000000,00000000,?,00000000), ref: 0040B207
                                                                                                                                                                              • CopyFileA.KERNEL32(00000000,00000000,00000000), ref: 004485E3
                                                                                                                                                                              • RegSetValueExA.ADVAPI32(?,00000000,00000000,00000001,00000000,00000000,?,?), ref: 004486E2
                                                                                                                                                                              • RegCloseKey.ADVAPI32(?,?,?), ref: 0044870C
                                                                                                                                                                              • CopyFileA.KERNEL32(00000000,00000000,00000000), ref: 00448973
                                                                                                                                                                              • GetUserNameA.ADVAPI32(?,00000104), ref: 004489A9
                                                                                                                                                                                • Part of subcall function 004160B0: GetModuleHandleA.KERNEL32(3B263619,?), ref: 00416186
                                                                                                                                                                                • Part of subcall function 004160B0: GetProcAddress.KERNEL32(00000000,34312111), ref: 00416191
                                                                                                                                                                                • Part of subcall function 004160B0: CreateProcessA.KERNELBASE(00000000,?,00000000,00000000,00000000,00000000,00000000,00000000,00000044,?), ref: 004161E1
                                                                                                                                                                              • RegOpenKeyExA.ADVAPI32(80000001,00000000,00000000,00020006), ref: 0044865A
                                                                                                                                                                                • Part of subcall function 00415E30: GetFileAttributesA.KERNELBASE(?,7FFFFFFF), ref: 00415EDC
                                                                                                                                                                              • CopyFileA.KERNEL32(00000000,00000000,00000000), ref: 004490D9
                                                                                                                                                                              • SHGetFolderPathA.SHELL32(00000000,00000007,00000000,00000000,?), ref: 004490F6
                                                                                                                                                                              • CoInitialize.OLE32(00000000), ref: 004491DD
                                                                                                                                                                              • CoCreateInstance.OLE32(Function_00115570,00000000,00000001,Function_00115540,?), ref: 004491FD
                                                                                                                                                                              • MultiByteToWideChar.KERNEL32(00000000,00000000,00000000,000000FF,?,00000104), ref: 00449289
                                                                                                                                                                              • CoUninitialize.OLE32 ref: 004492B9
                                                                                                                                                                              • ShellExecuteA.SHELL32(00000000,=#1;,00000000,00000000,00000000,00000001), ref: 00449327
                                                                                                                                                                              Strings
                                                                                                                                                                              Memory Dump Source
                                                                                                                                                                              • Source File: 00000000.00000002.2254819923.0000000000400000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                                              Joe Sandbox IDA Plugin
                                                                                                                                                                              • Snapshot File: hcaresult_0_2_400000_file.jbxd
                                                                                                                                                                              Yara matches
                                                                                                                                                                              Similarity
                                                                                                                                                                              • API ID: File$Copy$AttributesCreate$AddressByteCharCloseErrorExecuteFolderHandleInitializeInstanceLastModuleMultiNameOpenPathProcProcessShellUninitializeUserValueWide
                                                                                                                                                                              • String ID: $!0&$".?9$"=3$#>4=$$1'$$;$$wz$$wz$&+ $&39-$'!8$'!8$'!8$'!8$'!8$'!8$02 $0>$$38$4:18$6<7$6<7-$6<94?9$6<94?9$6<94?9$6<94?9$7%3*$7+1$7+1$7:=$8#12$8#3$8wz$8wz$:' %%mwv$;/9/$=#1;$? =$?)$?2&>374;22.$?2&>47,4/.4;,$F/!.$H$I5=I$ps{!$ps{!$ps{!$ps{!$r$r$|$|$|$|$|6,0$|6,0$|6,0$|6,0$|?:>$~$~$~$~$~
                                                                                                                                                                              • API String ID: 28878968-3024362790
                                                                                                                                                                              • Opcode ID: 53ee7943a4d10e95177547a8ef1a0f72a36595a407d00afbd4f2d34883170685
                                                                                                                                                                              • Instruction ID: 429461b7d5384cafcc2df35996eafbcc51918cc99cf467c7d99fa79c194b986d
                                                                                                                                                                              • Opcode Fuzzy Hash: 53ee7943a4d10e95177547a8ef1a0f72a36595a407d00afbd4f2d34883170685
                                                                                                                                                                              • Instruction Fuzzy Hash: C863AA70D042989ADB25EB64CD55BDEBBB4AF11308F0041DAE449772D2EB781F88CF96
                                                                                                                                                                              Uniqueness

                                                                                                                                                                              Uniqueness Score: -1.00%

                                                                                                                                                                              Function 00434B20 Relevance: 109.6, APIs: 6, Strings: 55, Instructions: 2842stringCOMMON
                                                                                                                                                                              Download Yara Rule
                                                                                                                                                                              APIs
                                                                                                                                                                              • SHGetFolderPathA.SHELL32(00000000,0000001A,00000000,00000000,?), ref: 00434C41
                                                                                                                                                                              • GetPrivateProfileSectionNamesA.KERNEL32(?,00001000,?), ref: 00434CE6
                                                                                                                                                                              • GetPrivateProfileStringA.KERNEL32(?,3D203202,00000000,?,00000104,?), ref: 00434DB6
                                                                                                                                                                              • lstrlenA.KERNEL32(?), ref: 00437778
                                                                                                                                                                                • Part of subcall function 0040AB40: __fread_nolock.LIBCMT ref: 0040AC3C
                                                                                                                                                                              • CreateDirectoryA.KERNEL32(?,00000000,?,3421020E,?,00000000,3421020E,3421020F,?,?,><3<8$,><3<8$,00000000), ref: 00436806
                                                                                                                                                                              • CreateDirectoryA.KERNEL32(?,00000000), ref: 00436B77
                                                                                                                                                                              Strings
                                                                                                                                                                              Memory Dump Source
                                                                                                                                                                              • Source File: 00000000.00000002.2254819923.0000000000400000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                                              Joe Sandbox IDA Plugin
                                                                                                                                                                              • Snapshot File: hcaresult_0_2_400000_file.jbxd
                                                                                                                                                                              Yara matches
                                                                                                                                                                              Similarity
                                                                                                                                                                              • API ID: CreateDirectoryPrivateProfile$FolderNamesPathSectionString__fread_nolocklstrlen
                                                                                                                                                                              • String ID: 1$"!;3?;=$"!;3?;=$"2'&!8*=$"2'&!8*=$"nv=$"nv=$"nv=$"ov=$"ov=$"ov=$%1$%1$%1$%1$'!8$'!8$'!8$*,$0(33$0>4<$16&!ny<;$16&!oy<;$3$4<&8$4<&8$4<&8$8$8$8$8$8$8$8#-4$96-ax3:$96-fx3:$:<'!865<$><3<8$><3<8$$><3<8$$><3<8$$><3<8$$><3<8$$?9+w$?;=$\$\$_$by<;$by<;$by<;$cannot use operator[] with a string argument with $ey<;$ey<;$ey<;
                                                                                                                                                                              • API String ID: 2628882823-1854249681
                                                                                                                                                                              • Opcode ID: bbd6992d621bea28f56fe6e48aca4a1b53f3561d189d7dca3e6bafde97b9e786
                                                                                                                                                                              • Instruction ID: a36599697f4023ba1647c38f0aef950e154c638e9f7ae6bdb9cf337964260f01
                                                                                                                                                                              • Opcode Fuzzy Hash: bbd6992d621bea28f56fe6e48aca4a1b53f3561d189d7dca3e6bafde97b9e786
                                                                                                                                                                              • Instruction Fuzzy Hash: 0F53CF70C042989EDF25DB64CC48BEEBBB4AF16308F1441DED44967282EB785B89CF95
                                                                                                                                                                              Uniqueness

                                                                                                                                                                              Uniqueness Score: -1.00%

                                                                                                                                                                              Function 00458520 Relevance: 106.7, APIs: 3, Strings: 57, Instructions: 1711COMMON
                                                                                                                                                                              Download Yara Rule
                                                                                                                                                                              APIs
                                                                                                                                                                                • Part of subcall function 0040B1A0: GetFileAttributesA.KERNELBASE(00000000,?,?,0045E8D7,00000000,00000000,?,00000000), ref: 0040B1FC
                                                                                                                                                                                • Part of subcall function 0040B1A0: GetLastError.KERNEL32(?,0045E8D7,00000000,00000000,?,00000000), ref: 0040B207
                                                                                                                                                                                • Part of subcall function 0040B270: CreateDirectoryA.KERNELBASE(?,00000000,00000005,?,?,0045E8D7,00000000,00000000,?,00000000), ref: 0040B2B5
                                                                                                                                                                                • Part of subcall function 0040B1A0: std::_Throw_Cpp_error.LIBCPMT ref: 0040B24F
                                                                                                                                                                                • Part of subcall function 0040B1A0: std::_Throw_Cpp_error.LIBCPMT ref: 0040B260
                                                                                                                                                                              • CreateDirectoryA.KERNELBASE(?,00000000), ref: 00459B2F
                                                                                                                                                                              • CreateDirectoryA.KERNEL32(?,00000000,00000000,?), ref: 00459CDC
                                                                                                                                                                              • CreateDirectoryA.KERNEL32(?,00000000,00000000,?), ref: 00459DA2
                                                                                                                                                                              Strings
                                                                                                                                                                              Memory Dump Source
                                                                                                                                                                              • Source File: 00000000.00000002.2254819923.0000000000400000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                                              Joe Sandbox IDA Plugin
                                                                                                                                                                              • Snapshot File: hcaresult_0_2_400000_file.jbxd
                                                                                                                                                                              Yara matches
                                                                                                                                                                              Similarity
                                                                                                                                                                              • API ID: CreateDirectory$Cpp_errorThrow_std::_$AttributesErrorFileLast
                                                                                                                                                                              • String ID: !$=+$!$=+$!6&#$!6&#$!67 $2$!67 $2$"$"2 =$"2 =$"2 =$"2 =$$28 3$$28 3$$28 3$$28 3$$6,0$$6,0$$6,0$$6,0$%1$&<?08$&<?08$)$)$*:$*:$*:$*:$31$31$31$6<94?9$6<94?9$6<94?96<94?9$6<94?96<94?9$7+$<$7+$<$7+$<$7+$<$:' %$:' %$<290$<290$<290$<290$=>=*$=>=*$=>=*$?4=$?4=$t/$)$t/$)$w Y_$w ]p$|',!$|',!$|',!
                                                                                                                                                                              • API String ID: 453214671-2294095452
                                                                                                                                                                              • Opcode ID: 7ffdaf4037cb2d030a63199d217c015197ae860a8e502b6e60a93467012496ea
                                                                                                                                                                              • Instruction ID: 57ae14f2feaf59c3a95a653b4d20b0d10ef2dfc7cc1885f066834b7badb08a9e
                                                                                                                                                                              • Opcode Fuzzy Hash: 7ffdaf4037cb2d030a63199d217c015197ae860a8e502b6e60a93467012496ea
                                                                                                                                                                              • Instruction Fuzzy Hash: 70036B70904298DEDB25EB65C9597DEBBB4AF11308F0400DED44977292EBB81F88CF5A
                                                                                                                                                                              Uniqueness

                                                                                                                                                                              Uniqueness Score: -1.00%

                                                                                                                                                                              Function 00428180 Relevance: 94.4, APIs: 2, Strings: 50, Instructions: 3351COMMON
                                                                                                                                                                              Download Yara Rule
                                                                                                                                                                              APIs
                                                                                                                                                                              • SHGetFolderPathA.SHELL32(00000000,?,00000000,00000000,?,?,?,3E3B3C31), ref: 004282B4
                                                                                                                                                                                • Part of subcall function 0040AB40: __fread_nolock.LIBCMT ref: 0040AC3C
                                                                                                                                                                              • __ehfuncinfo$??2@YAPAXIABUnothrow_t@std@@@Z.LIBCMT ref: 0042A957
                                                                                                                                                                                • Part of subcall function 004DE42B: RaiseException.KERNEL32(E06D7363,00000001,00000003,0045DCD0,0045DCD0,?,?,004DAF37,0045DCD0,0053D744,00000000,0045DCD0,00000000,00000001), ref: 004DE48B
                                                                                                                                                                              Strings
                                                                                                                                                                              Memory Dump Source
                                                                                                                                                                              • Source File: 00000000.00000002.2254819923.0000000000400000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                                              Joe Sandbox IDA Plugin
                                                                                                                                                                              • Snapshot File: hcaresult_0_2_400000_file.jbxd
                                                                                                                                                                              Yara matches
                                                                                                                                                                              Similarity
                                                                                                                                                                              • API ID: ExceptionFolderPathRaiseUnothrow_t@std@@@__ehfuncinfo$??2@__fread_nolock
                                                                                                                                                                              • String ID: !67 $2$!8*2$"2 =$#;,$#;,$$.(-$$.(-$$.(-$$.(-$$.(-$$28 3$$28 3$$6,0$$bd$$be$'$'$'$'$*:$/',<$/',<$/',<$/',<$1$1$1<;>$1<;>?2+$6<94?9$7+$<$7=7'$7=7'$7=7'$7=7'$9%3$:' %$<290$?2+$[$\$\$\$\$\$\$\$\$\$\$cannot use operator[] with a string argument with
                                                                                                                                                                              • API String ID: 763711979-1342090246
                                                                                                                                                                              • Opcode ID: f3990dcf742785826510b3bb77b6ceb428905fb40aa7cc0d599a2a9fb42f1cf9
                                                                                                                                                                              • Instruction ID: 75da0da8fc7ec44c57da9840ff1f0e32adef3685c6fae34395cd54ce1a610f13
                                                                                                                                                                              • Opcode Fuzzy Hash: f3990dcf742785826510b3bb77b6ceb428905fb40aa7cc0d599a2a9fb42f1cf9
                                                                                                                                                                              • Instruction Fuzzy Hash: 1A73CD70D002A88BDB25DB68DC547EEBBB0AF15308F5441DED44967282DB786F88CF99
                                                                                                                                                                              Uniqueness

                                                                                                                                                                              Uniqueness Score: -1.00%

                                                                                                                                                                              Function 004564A0 Relevance: 90.6, Strings: 71, Instructions: 1823COMMON
                                                                                                                                                                              Download Yara Rule
                                                                                                                                                                              Strings
                                                                                                                                                                              Memory Dump Source
                                                                                                                                                                              • Source File: 00000000.00000002.2254819923.0000000000400000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                                              Joe Sandbox IDA Plugin
                                                                                                                                                                              • Snapshot File: hcaresult_0_2_400000_file.jbxd
                                                                                                                                                                              Yara matches
                                                                                                                                                                              Similarity
                                                                                                                                                                              • API ID: Cpp_errorThrow_std::_$AttributesCreateDirectoryErrorFileLast
                                                                                                                                                                              • String ID: !$=+$"!;3$"!;3$"!;3$"!;3$"!;3$"!;3$"!;3$"!;3$"2'&!8*=$"2'&!8*=$"2'&!8*=$"2'&!8*=$"2'&!8*=$"2'&!8*=$"2'&!8*=$"2'&!8*=$% 7+$% 7+$% 7+$%1$%1$%1$%1$%1w $&+$&+$&+$'!8$'!8$'!8$'!8$'!8$'!8$'!8$'!8$)$31$31$58*=$;615$>(r)$>(r)$>(r)$><3<8$><3<8$><3<8$><3<8$><3<8$><3<8$><3<8$><3<8$?;=$?;=$?;=$?;=$?;=$?;=$?;=$?;=$?;=*$`a$i$t/$)$t/$)$u$w $w $w %1$w %1$w w
                                                                                                                                                                              • API String ID: 325604351-255260331
                                                                                                                                                                              • Opcode ID: 7dcd8d6871f77b4598944d0541f840cbd14ff571c96704b36630e61251187c15
                                                                                                                                                                              • Instruction ID: b3a347ab2d5913c55b79dc2b7675eac22e4de48785ab9d64140a0416f3fdeda6
                                                                                                                                                                              • Opcode Fuzzy Hash: 7dcd8d6871f77b4598944d0541f840cbd14ff571c96704b36630e61251187c15
                                                                                                                                                                              • Instruction Fuzzy Hash: FB137B30C04298DADB21EBA5CD557DDBBB4AF21308F4441EED44977292EBB81F88CB56
                                                                                                                                                                              Uniqueness

                                                                                                                                                                              Uniqueness Score: -1.00%

                                                                                                                                                                              Function 00424730 Relevance: 86.0, APIs: 1, Strings: 46, Instructions: 3763COMMON
                                                                                                                                                                              Download Yara Rule
                                                                                                                                                                              APIs
                                                                                                                                                                              • SHGetFolderPathA.SHELL32(00000000,?,00000000,00000000,?,?,?,12&1%,?,?,?,00000004), ref: 0042487A
                                                                                                                                                                              Strings
                                                                                                                                                                              Memory Dump Source
                                                                                                                                                                              • Source File: 00000000.00000002.2254819923.0000000000400000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                                              Joe Sandbox IDA Plugin
                                                                                                                                                                              • Snapshot File: hcaresult_0_2_400000_file.jbxd
                                                                                                                                                                              Yara matches
                                                                                                                                                                              Similarity
                                                                                                                                                                              • API ID: FolderPath
                                                                                                                                                                              • String ID: #;,$#;,$#;,$$.(-$$.(-$$.(-$$.(-$$bd$$be$'$'$'$'$/',<$/',<$/',<$/',<$12&19-48>.$12&1%$12&1%$7+$/29+$7+$;86-2$7=7'$7=7'$7=7'$7=7'$9:.9$9:.9$<290$<290$<:7>865<$<:7>865<$=!=2?9$>2'!17,($X$\$\$\$\$\$\$\$\$\$\$cannot use operator[] with a string argument with
                                                                                                                                                                              • API String ID: 1514166925-1125462606
                                                                                                                                                                              • Opcode ID: a6fbce01a3c6adbb50c7c44534195b820e1dd5735fb065cfa8055a8dc7fe5fb6
                                                                                                                                                                              • Instruction ID: 2f7e4d1e291f3f1cdc620df9df6a1c96b4595230c5c4730e23e565800bfc6c88
                                                                                                                                                                              • Opcode Fuzzy Hash: a6fbce01a3c6adbb50c7c44534195b820e1dd5735fb065cfa8055a8dc7fe5fb6
                                                                                                                                                                              • Instruction Fuzzy Hash: DD83CF70D042A88BDB25DF68D8447EEBBB4AF15308F1441DED44967282DB786F88CF99
                                                                                                                                                                              Uniqueness

                                                                                                                                                                              Uniqueness Score: -1.00%

                                                                                                                                                                              Function 0045E5D4 Relevance: 60.0, APIs: 16, Strings: 18, Instructions: 450sleepthreadCOMMON
                                                                                                                                                                              Download Yara Rule

                                                                                                                                                                              Control-flow Graph

                                                                                                                                                                              • Executed
                                                                                                                                                                              • Not Executed
                                                                                                                                                                              control_flow_graph 12460 45e5d4-45e634 call 40ab30 call 4029f0 call 4655d0 call 40b740 call 464230 12471 45e666-45e698 call 464330 CreateThread CloseHandle 12460->12471 12472 45e636-45e661 call 464210 call 4654b0 call 464210 call 4654b0 12460->12472 12478 45e747-45e771 call 40ab00 call 4029f0 12471->12478 12479 45e69e 12471->12479 12472->12471 12494 45e777-45e780 12478->12494 12482 45e6a0-45e6ac GetPEB 12479->12482 12485 45e6b0-45e6cf 12482->12485 12486 45e6d1-45e6d6 12485->12486 12487 45e719-45e71b 12485->12487 12486->12487 12490 45e6d8-45e6de 12486->12490 12487->12485 12493 45e6e0-45e6f3 12490->12493 12495 45e6f5-45e708 12493->12495 12496 45e712-45e717 12493->12496 12494->12494 12497 45e782-45e8d9 GetTempPathA call 40b9f0 call 409250 call 4029f0 call 469f00 call 469fa0 call 4654e0 call 402990 * 3 call 409250 call 4029f0 call 469f00 call 469fa0 call 402990 * 2 call 465290 call 40b1a0 12494->12497 12495->12495 12498 45e70a-45e710 12495->12498 12496->12487 12496->12493 12534 45e8ec-45e900 call 465290 call 40b1a0 12497->12534 12535 45e8db-45e8e9 call 40b300 12497->12535 12498->12496 12501 45e71d-45e741 Sleep 12498->12501 12501->12478 12501->12482 12542 45e914-45e931 call 465290 CreateDirectoryA 12534->12542 12543 45e902-45e911 call 40b300 12534->12543 12535->12534 12548 45e945-45e957 call 465290 CreateDirectoryA 12542->12548 12549 45e933-45e93f call 415e30 12542->12549 12543->12542 12555 45e9d3-45e9ee call 465290 GetPEB 12548->12555 12556 45e959-45e993 __ehfuncinfo$??2@YAPAXIABUnothrow_t@std@@@Z 12548->12556 12549->12548 12554 460fa5-4610f8 OutputDebugStringA call 462d20 * 6 call 4655d0 call 418ee0 call 409940 call 469e70 call 465290 CreateMutexA call 402990 GetLastError 12549->12554 12604 4610fe-461170 Sleep call 40e580 call 4029f0 call 41e5f0 12554->12604 12605 4611db-461241 call 402af0 * 3 12554->12605 12565 45e9f0-45ea0f 12555->12565 12558 45e9a5-45e9a7 12556->12558 12559 45e995-45e99f 12556->12559 12562 45e9bd-45e9c0 12558->12562 12563 45e9a9 12558->12563 12559->12558 12567 45e9c8-45e9ce call 415e30 12562->12567 12563->12562 12566 45e9ab-45e9b1 12563->12566 12569 45ea11-45ea16 12565->12569 12570 45ea5c-45ea5e 12565->12570 12566->12562 12571 45e9b3-45e9b5 12566->12571 12567->12555 12569->12570 12575 45ea18-45ea21 12569->12575 12570->12565 12571->12567 12576 45e9b7 12571->12576 12578 45ea23-45ea36 12575->12578 12576->12562 12579 45e9b9-45e9bb 12576->12579 12581 45ea55-45ea5a 12578->12581 12582 45ea38-45ea4b 12578->12582 12579->12562 12579->12567 12581->12570 12581->12578 12582->12582 12584 45ea4d-45ea53 12582->12584 12584->12581 12619 461195-4611cc Sleep shutdown closesocket 12604->12619 12620 461172-461193 Sleep 12604->12620 12622 461243 call 403be0 12605->12622 12623 461248-461283 call 402af0 12605->12623 12619->12605 12624 4611ce-4611d0 12619->12624 12620->12619 12620->12620 12622->12623 12624->12605 12627 4611d2-4611d9 Sleep 12624->12627 12627->12627
                                                                                                                                                                              APIs
                                                                                                                                                                              • CreateThread.KERNELBASE(00000000,00000000,0041E220,00000000,00000000,00000000), ref: 0045E684
                                                                                                                                                                              • CloseHandle.KERNEL32(00000000), ref: 0045E68B
                                                                                                                                                                              • Sleep.KERNELBASE(00000001), ref: 0045E738
                                                                                                                                                                              • GetTempPathA.KERNEL32(000000FB,?,00000000), ref: 0045E78E
                                                                                                                                                                                • Part of subcall function 0040B1A0: GetFileAttributesA.KERNELBASE(00000000,?,?,0045E8D7,00000000,00000000,?,00000000), ref: 0040B1FC
                                                                                                                                                                                • Part of subcall function 0040B1A0: GetLastError.KERNEL32(?,0045E8D7,00000000,00000000,?,00000000), ref: 0040B207
                                                                                                                                                                              • CreateDirectoryA.KERNELBASE(00000000,00000000,00000000,00000000,?,00000000), ref: 0045E927
                                                                                                                                                                              • CreateDirectoryA.KERNELBASE(00000000,00000000,?,00000000), ref: 0045E953
                                                                                                                                                                              • __ehfuncinfo$??2@YAPAXIABUnothrow_t@std@@@Z.LIBCMT ref: 0045E96A
                                                                                                                                                                              Strings
                                                                                                                                                                              Memory Dump Source
                                                                                                                                                                              • Source File: 00000000.00000002.2254819923.0000000000400000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                                              Joe Sandbox IDA Plugin
                                                                                                                                                                              • Snapshot File: hcaresult_0_2_400000_file.jbxd
                                                                                                                                                                              Yara matches
                                                                                                                                                                              Similarity
                                                                                                                                                                              • API ID: Create$Directory$AttributesCloseErrorFileHandleLastPathSleepTempThreadUnothrow_t@std@@@__ehfuncinfo$??2@
                                                                                                                                                                              • String ID: drthdrthdrthdr hrtd hr$!?=6$3$37;7$:$:6=1$?$PnE$h$h0u$hHBT$hXCT$hhCT$hxCT$jjj$x345$>i$pi
                                                                                                                                                                              • API String ID: 4231318459-2239746989
                                                                                                                                                                              • Opcode ID: 4e8cadf1558bc808eb15c925feb827478044ca38ad77a820c39c18be29cec92c
                                                                                                                                                                              • Instruction ID: 8077588bf94c0e4bc39e93033f8a776c4edc121c9ce1f6a3b1a7cfd8669552db
                                                                                                                                                                              • Opcode Fuzzy Hash: 4e8cadf1558bc808eb15c925feb827478044ca38ad77a820c39c18be29cec92c
                                                                                                                                                                              • Instruction Fuzzy Hash: D3121470A002488BCB18EF69CC55BDEBB71AF55308F1441DEE9056B2D2EB745F48CB9A
                                                                                                                                                                              Uniqueness

                                                                                                                                                                              Uniqueness Score: -1.00%

                                                                                                                                                                              Function 0042C980 Relevance: 59.9, APIs: 1, Strings: 32, Instructions: 2164COMMON
                                                                                                                                                                              Download Yara Rule
                                                                                                                                                                              APIs
                                                                                                                                                                              • SHGetFolderPathA.SHELL32(00000000,?,00000000,00000000,?,?,?,3E3B2735,?,?,?,00000004), ref: 0042CAB4
                                                                                                                                                                              Strings
                                                                                                                                                                              Memory Dump Source
                                                                                                                                                                              • Source File: 00000000.00000002.2254819923.0000000000400000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                                              Joe Sandbox IDA Plugin
                                                                                                                                                                              • Snapshot File: hcaresult_0_2_400000_file.jbxd
                                                                                                                                                                              Yara matches
                                                                                                                                                                              Similarity
                                                                                                                                                                              • API ID: FolderPath
                                                                                                                                                                              • String ID: !6&#$$.(-$$.(-$$.(-$$bd$$be$&<?08\$'$'$'$/',<$/',<$/',<$39+$5';>$5';>39+$7=7'$7=7'$7=7'$?4=$V$\$\$\$\$\$\$\$\$\$\$cannot use operator[] with a string argument with
                                                                                                                                                                              • API String ID: 1514166925-3834567515
                                                                                                                                                                              • Opcode ID: d683652dda44f9dae4f0f6e733b05dec29e26b7ec3e1f1917560291c9df3a30d
                                                                                                                                                                              • Instruction ID: 533f620bba5b2773b9cbc6b6bd3ac26e45f2e0f23bfd5e739c1d7210883c523b
                                                                                                                                                                              • Opcode Fuzzy Hash: d683652dda44f9dae4f0f6e733b05dec29e26b7ec3e1f1917560291c9df3a30d
                                                                                                                                                                              • Instruction Fuzzy Hash: EB23CF70D002A88BDF25DB68CD547EEBBB0AF15304F1442DEE44967282DBB85B89CF95
                                                                                                                                                                              Uniqueness

                                                                                                                                                                              Uniqueness Score: -1.00%

                                                                                                                                                                              Function 0043EAEB Relevance: 55.2, APIs: 9, Strings: 22, Instructions: 951fileCOMMON
                                                                                                                                                                              Download Yara Rule

                                                                                                                                                                              Control-flow Graph

                                                                                                                                                                              • Executed
                                                                                                                                                                              • Not Executed
                                                                                                                                                                              control_flow_graph 13222 43eaeb-43eafa 13223 43eb10-43eb17 call 4dcb23 13222->13223 13224 43eafc-43eb0a 13222->13224 13231 43eb1a-43eb49 call 40b1a0 13223->13231 13224->13223 13225 43f8cf 13224->13225 13228 43f8d4-43f8e8 call 402400 * 4 13225->13228 13229 43f8cf call 4e1ea0 13225->13229 13229->13228 13235 43eb4e-43eb50 13231->13235 13237 43eb56-43eb5f 13235->13237 13238 43f89c-43f8ce call 402af0 * 2 13235->13238 13240 43eb66-43eb72 13237->13240 13240->13240 13243 43eb74-43eb7f 13240->13243 13247 43eb82-43eb87 13243->13247 13247->13247 13250 43eb89-43eb9a 13247->13250 13250->13228 13250->13238
                                                                                                                                                                              APIs
                                                                                                                                                                              • FindFirstFileA.KERNEL32(?,?), ref: 0043ED7A
                                                                                                                                                                              • FindNextFileA.KERNEL32(00000000,?), ref: 0043F019
                                                                                                                                                                              • FindClose.KERNEL32(00000000), ref: 0043F029
                                                                                                                                                                              • CreateDirectoryA.KERNEL32(?,00000000,?,3931070E,?,?,3931070E,3931070F), ref: 0043F0F3
                                                                                                                                                                              • CreateDirectoryA.KERNEL32(?,00000000,?,3430270E,?,?,3430270E,3430270F), ref: 0043F198
                                                                                                                                                                              • CopyFileA.KERNEL32(00000000,00000000,00000000), ref: 0043F25B
                                                                                                                                                                                • Part of subcall function 0040B1A0: GetFileAttributesA.KERNELBASE(00000000,?,?,0045E8D7,00000000,00000000,?,00000000), ref: 0040B1FC
                                                                                                                                                                                • Part of subcall function 0040B1A0: GetLastError.KERNEL32(?,0045E8D7,00000000,00000000,?,00000000), ref: 0040B207
                                                                                                                                                                              • CreateDirectoryA.KERNEL32(?,00000000), ref: 0043F3A8
                                                                                                                                                                              • CopyFileA.KERNEL32(00000000,?,00000000), ref: 0043F50E
                                                                                                                                                                              • CopyFileA.KERNEL32(?,00000000,00000000), ref: 0043F75F
                                                                                                                                                                              Strings
                                                                                                                                                                              Memory Dump Source
                                                                                                                                                                              • Source File: 00000000.00000002.2254819923.0000000000400000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                                              Joe Sandbox IDA Plugin
                                                                                                                                                                              • Snapshot File: hcaresult_0_2_400000_file.jbxd
                                                                                                                                                                              Yara matches
                                                                                                                                                                              Similarity
                                                                                                                                                                              • API ID: File$CopyCreateDirectoryFind$AttributesCloseErrorFirstLastNext
                                                                                                                                                                              • String ID: 39-$39-$ $ 1$ 1$"6$"6$%$%$%$.$30*8$7$;($;($\$\$\$\$\$s$s
                                                                                                                                                                              • API String ID: 2727793958-3925946799
                                                                                                                                                                              • Opcode ID: 96eda1e606b0396eca85da87c18276847d1db5a3f05590dd0ceb551169dca9ed
                                                                                                                                                                              • Instruction ID: ff9879098513eefe7118d1867748fd0ca27ef1486d3eeb152b38f87866c2ba9f
                                                                                                                                                                              • Opcode Fuzzy Hash: 96eda1e606b0396eca85da87c18276847d1db5a3f05590dd0ceb551169dca9ed
                                                                                                                                                                              • Instruction Fuzzy Hash: 2E92DF70C00259CFDF28DBA4C948BEEBBB4AF15308F1042EDD44967292EB785A49DF65
                                                                                                                                                                              Uniqueness

                                                                                                                                                                              Uniqueness Score: -1.00%

                                                                                                                                                                              Function 0045B4B0 Relevance: 46.2, Strings: 36, Instructions: 1224COMMON
                                                                                                                                                                              Download Yara Rule
                                                                                                                                                                              Strings
                                                                                                                                                                              Memory Dump Source
                                                                                                                                                                              • Source File: 00000000.00000002.2254819923.0000000000400000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                                              Joe Sandbox IDA Plugin
                                                                                                                                                                              • Snapshot File: hcaresult_0_2_400000_file.jbxd
                                                                                                                                                                              Yara matches
                                                                                                                                                                              Similarity
                                                                                                                                                                              • API ID: AttributesCreateDirectoryErrorFileLast
                                                                                                                                                                              • String ID: 9-4$9-4$ $!$=+$!$=+$"/,$"8* $"8* $%1$%1$&:90$&:90$'!8$'!8$)$)$12&1$12&1$7+$/29+$7+$/29+$7+$;86-2$7+$;86-2$8>.$8>.$9:.9$9:.9$<290$<290$<:7>865<$<:7>865<$>2'!17,($>2'!17,($t/$)$w ]p:;-TP$|',!$|',!
                                                                                                                                                                              • API String ID: 674977465-2093587463
                                                                                                                                                                              • Opcode ID: 3891185e4cd8f330b12e7872c9c530ffc4cc23191e2ee05e32caef61de063f78
                                                                                                                                                                              • Instruction ID: f1ec3ed8df4f27eeeafdc384d20f3ca36f04232fc952ab87f7a7b0810dcce7f9
                                                                                                                                                                              • Opcode Fuzzy Hash: 3891185e4cd8f330b12e7872c9c530ffc4cc23191e2ee05e32caef61de063f78
                                                                                                                                                                              • Instruction Fuzzy Hash: DAC29E708042989EDB25EB65CC557DEBBB4AF11308F0401DED44977292EBB81F88DF9A
                                                                                                                                                                              Uniqueness

                                                                                                                                                                              Uniqueness Score: -1.00%

                                                                                                                                                                              Function 0043B65D Relevance: 42.1, APIs: 2, Strings: 21, Instructions: 1862COMMON
                                                                                                                                                                              Download Yara Rule
                                                                                                                                                                              APIs
                                                                                                                                                                              • GetPrivateProfileStringA.KERNEL32(?,3D203202,00000000,?,00000104,?), ref: 00439D16
                                                                                                                                                                              Strings
                                                                                                                                                                              Memory Dump Source
                                                                                                                                                                              • Source File: 00000000.00000002.2254819923.0000000000400000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                                              Joe Sandbox IDA Plugin
                                                                                                                                                                              • Snapshot File: hcaresult_0_2_400000_file.jbxd
                                                                                                                                                                              Yara matches
                                                                                                                                                                              Similarity
                                                                                                                                                                              • API ID: PrivateProfileString
                                                                                                                                                                              • String ID: 1$!67 $2$"2 =$$28 3$$6,0$*:$/$1$1$1<;>$6<94?9$7+$<$:' %$<290$?2+$?;=$@$TbE$\$\$cannot use operator[] with a string argument with
                                                                                                                                                                              • API String ID: 1096422788-1476001284
                                                                                                                                                                              • Opcode ID: b6326a3d966fe047580aaad9357315654acdd1c05d44b97173da037dbd77bc33
                                                                                                                                                                              • Instruction ID: e6264ca87e19b7cc07875635de15bcfee6b67c28ad1294dbb86b2ba5eb7e06b0
                                                                                                                                                                              • Opcode Fuzzy Hash: b6326a3d966fe047580aaad9357315654acdd1c05d44b97173da037dbd77bc33
                                                                                                                                                                              • Instruction Fuzzy Hash: AD03D170D002599BDB25DB24C948BEEBBB0AF19308F1441DED48967382D778AF85CF96
                                                                                                                                                                              Uniqueness

                                                                                                                                                                              Uniqueness Score: -1.00%

                                                                                                                                                                              Function 00438770 Relevance: 41.5, APIs: 4, Strings: 19, Instructions: 1262stringCOMMON
                                                                                                                                                                              Download Yara Rule
                                                                                                                                                                              APIs
                                                                                                                                                                              • SHGetFolderPathA.SHELL32(00000000,0000001A,00000000,00000000,?,?,?,?,?,?,?), ref: 004388A3
                                                                                                                                                                              • GetPrivateProfileSectionNamesA.KERNEL32(?,00001000,?), ref: 00438947
                                                                                                                                                                              • GetPrivateProfileStringA.KERNEL32(?,3D203202,00000000,?,00000104,?), ref: 004389F9
                                                                                                                                                                              • lstrlenA.KERNEL32(?,?,?,?,?,?,?,?,?,?,?,?,?,?,?), ref: 00439984
                                                                                                                                                                                • Part of subcall function 004DE42B: RaiseException.KERNEL32(E06D7363,00000001,00000003,0045DCD0,0045DCD0,?,?,004DAF37,0045DCD0,0053D744,00000000,0045DCD0,00000000,00000001), ref: 004DE48B
                                                                                                                                                                              Strings
                                                                                                                                                                              Memory Dump Source
                                                                                                                                                                              • Source File: 00000000.00000002.2254819923.0000000000400000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                                              Joe Sandbox IDA Plugin
                                                                                                                                                                              • Snapshot File: hcaresult_0_2_400000_file.jbxd
                                                                                                                                                                              Yara matches
                                                                                                                                                                              Similarity
                                                                                                                                                                              • API ID: PrivateProfile$ExceptionFolderNamesPathRaiseSectionStringlstrlen
                                                                                                                                                                              • String ID: 1$"2 =$#$'!8$)$)*04$)u53$*:$/$0>4<$4:80lxwv$4:80lxwv$52+w$7$?;=$Z$\$\$cannot use operator[] with a string argument with
                                                                                                                                                                              • API String ID: 4052058988-2151770575
                                                                                                                                                                              • Opcode ID: be3123f3357e879f4270c53588c6fc3f64254e813a53378cbf386846d7d95a52
                                                                                                                                                                              • Instruction ID: d52ba13351ba4a324f7a6f7a00f127466ceb9abec5af3ef73cb60ab6959e21c5
                                                                                                                                                                              • Opcode Fuzzy Hash: be3123f3357e879f4270c53588c6fc3f64254e813a53378cbf386846d7d95a52
                                                                                                                                                                              • Instruction Fuzzy Hash: 80C2E270D04259CBDB25DF64C9447EEBBB0AF19308F1441DEE4496B282EBB85E88CF95
                                                                                                                                                                              Uniqueness

                                                                                                                                                                              Uniqueness Score: -1.00%

                                                                                                                                                                              Function 0043B750 Relevance: 41.4, APIs: 5, Strings: 18, Instructions: 1133stringCOMMON
                                                                                                                                                                              Download Yara Rule
                                                                                                                                                                              APIs
                                                                                                                                                                              • SHGetFolderPathA.SHELL32(00000000,0000001A,00000000,00000000,?,?,?,?,?,?,?), ref: 0043B862
                                                                                                                                                                              • GetPrivateProfileSectionNamesA.KERNEL32(?,00001000,?), ref: 0043B906
                                                                                                                                                                              • GetPrivateProfileStringA.KERNEL32(?,3D203202,00000000,?,00000104,?), ref: 0043B9B9
                                                                                                                                                                              • __ehfuncinfo$??2@YAPAXIABUnothrow_t@std@@@Z.LIBCMT ref: 0043C4EE
                                                                                                                                                                              • lstrlenA.KERNEL32(?,?,?,?,?,?,?,?,?,?,?,?,?,?,?), ref: 0043C79B
                                                                                                                                                                              Strings
                                                                                                                                                                              Memory Dump Source
                                                                                                                                                                              • Source File: 00000000.00000002.2254819923.0000000000400000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                                              Joe Sandbox IDA Plugin
                                                                                                                                                                              • Snapshot File: hcaresult_0_2_400000_file.jbxd
                                                                                                                                                                              Yara matches
                                                                                                                                                                              Similarity
                                                                                                                                                                              • API ID: PrivateProfile$FolderNamesPathSectionStringUnothrow_t@std@@@__ehfuncinfo$??2@lstrlen
                                                                                                                                                                              • String ID: 1$&:909%!$'!8$)$)*04$)u53$*:$/$0>4<$52+w$7$9%!$::'!$::'!$?;=$Z$\$\
                                                                                                                                                                              • API String ID: 3203477177-3228426408
                                                                                                                                                                              • Opcode ID: 534182b2e5783794df3403b270118884bb5b74f758ad4123d1b78da7820507f7
                                                                                                                                                                              • Instruction ID: c93978f290d7d1d8c968389482369432632287792869b1679fa0885db036a378
                                                                                                                                                                              • Opcode Fuzzy Hash: 534182b2e5783794df3403b270118884bb5b74f758ad4123d1b78da7820507f7
                                                                                                                                                                              • Instruction Fuzzy Hash: AAB2D470D04258DBDB25DB64CC44BEEBBB0AF19308F1441DED449BB282DB789A89CF95
                                                                                                                                                                              Uniqueness

                                                                                                                                                                              Uniqueness Score: -1.00%

                                                                                                                                                                              Function 004202AA Relevance: 40.6, Strings: 31, Instructions: 1844COMMON
                                                                                                                                                                              Download Yara Rule
                                                                                                                                                                              Strings
                                                                                                                                                                              Memory Dump Source
                                                                                                                                                                              • Source File: 00000000.00000002.2254819923.0000000000400000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                                              Joe Sandbox IDA Plugin
                                                                                                                                                                              • Snapshot File: hcaresult_0_2_400000_file.jbxd
                                                                                                                                                                              Yara matches
                                                                                                                                                                              Similarity
                                                                                                                                                                              • API ID:
                                                                                                                                                                              • String ID: "!;3?;=$"2'&!8*=$$.(-$$.(-$$.(-$$bd$$be$'$'$'$'!8$/',<$/',<$/',<$2$7=7'$7=7'$7=7'$><3<8$><3<8$$N$\$\$\$\$\$\$\$\$\$cannot use operator[] with a string argument with
                                                                                                                                                                              • API String ID: 0-1876853861
                                                                                                                                                                              • Opcode ID: e2cc1c15a39ffa3081a3729397234da8590735d2a06667bd3bee6a7ac58d9cd5
                                                                                                                                                                              • Instruction ID: 23905bb18fd000cec8556e00b281b5b68f5f5e10fed6cbdd06ccf3518dd8b67d
                                                                                                                                                                              • Opcode Fuzzy Hash: e2cc1c15a39ffa3081a3729397234da8590735d2a06667bd3bee6a7ac58d9cd5
                                                                                                                                                                              • Instruction Fuzzy Hash: F403E070D002A8DADF25DF68C844BEEBBB0AF15304F5441DED44967292DBB85B88CF95
                                                                                                                                                                              Uniqueness

                                                                                                                                                                              Uniqueness Score: -1.00%

                                                                                                                                                                              Function 0044A8F0 Relevance: 38.1, APIs: 6, Strings: 15, Instructions: 1320COMMON
                                                                                                                                                                              Download Yara Rule
                                                                                                                                                                              APIs
                                                                                                                                                                                • Part of subcall function 0040B1A0: GetFileAttributesA.KERNELBASE(00000000,?,?,0045E8D7,00000000,00000000,?,00000000), ref: 0040B1FC
                                                                                                                                                                                • Part of subcall function 0040B1A0: GetLastError.KERNEL32(?,0045E8D7,00000000,00000000,?,00000000), ref: 0040B207
                                                                                                                                                                              • SHGetFolderPathA.SHELL32(00000000,00000000,00000000,00000000,?), ref: 0044AD86
                                                                                                                                                                              • SHGetFolderPathA.SHELL32(00000000,00000005,00000000,00000000,?,?,?,?,?,?,?,06111778,?,?), ref: 0044AF74
                                                                                                                                                                              • SHGetFolderPathA.SHELL32(00000000,00000028,00000000,00000000,?,?,?,?,?,?,?,161B1778,?,?), ref: 0044B176
                                                                                                                                                                              • SHGetFolderPathA.SHELL32(00000000,0000001A,00000000,00000000,?,?,?,?,?,?,?,10070678,?,?), ref: 0044B404
                                                                                                                                                                              Strings
                                                                                                                                                                              Memory Dump Source
                                                                                                                                                                              • Source File: 00000000.00000002.2254819923.0000000000400000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                                              Joe Sandbox IDA Plugin
                                                                                                                                                                              • Snapshot File: hcaresult_0_2_400000_file.jbxd
                                                                                                                                                                              Yara matches
                                                                                                                                                                              Similarity
                                                                                                                                                                              • API ID: FolderPath$AttributesErrorFileLast
                                                                                                                                                                              • String ID: $1#$175$ $ &80$ &80$ &80115?($ &80175>>.$*$:$>>.$type must be boolean, but is $z}y|${${$~s
                                                                                                                                                                              • API String ID: 133263752-2053842511
                                                                                                                                                                              • Opcode ID: 6edfaad16dd15c7f831997d1fbcf71e291bdac98c86e44854bbd1af8dce9ca3d
                                                                                                                                                                              • Instruction ID: edb6fcdc740fcd203abd4a1a4372474ddc1a219639bcc899f6d1fc62923c7786
                                                                                                                                                                              • Opcode Fuzzy Hash: 6edfaad16dd15c7f831997d1fbcf71e291bdac98c86e44854bbd1af8dce9ca3d
                                                                                                                                                                              • Instruction Fuzzy Hash: EEC2D070D002589AEF25DF64C858BEEBBB4AF16304F1081DED44977282EB785B89CF95
                                                                                                                                                                              Uniqueness

                                                                                                                                                                              Uniqueness Score: -1.00%

                                                                                                                                                                              Function 0043CA90 Relevance: 37.1, APIs: 1, Strings: 19, Instructions: 2057COMMON
                                                                                                                                                                              Download Yara Rule
                                                                                                                                                                              APIs
                                                                                                                                                                              • CredEnumerateA.ADVAPI32(00000000,00000001,00000000,?,?,?,><3<8$,><3<8$,00000001), ref: 0043DFD9
                                                                                                                                                                                • Part of subcall function 0040AF70: GetModuleHandleA.KERNEL32(3930271C), ref: 0040AFE5
                                                                                                                                                                                • Part of subcall function 0040AF70: GetProcAddress.KERNEL32(00000000,12382700), ref: 0040AFF0
                                                                                                                                                                              Strings
                                                                                                                                                                              Memory Dump Source
                                                                                                                                                                              • Source File: 00000000.00000002.2254819923.0000000000400000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                                              Joe Sandbox IDA Plugin
                                                                                                                                                                              • Snapshot File: hcaresult_0_2_400000_file.jbxd
                                                                                                                                                                              Yara matches
                                                                                                                                                                              Similarity
                                                                                                                                                                              • API ID: AddressCredEnumerateHandleModuleProc
                                                                                                                                                                              • String ID: !$!8*=$"!;3?;=$"!;3?;=$"!;3?;=$"2'&!8*=$"2'&!8*=$'!8$'!8$'!8$8$8$$><3<$><3<8$><3<8$$><3<8$$><3<8$$cannot use operator[] with a string argument with $hHS
                                                                                                                                                                              • API String ID: 2949927473-1437918641
                                                                                                                                                                              • Opcode ID: 9c8a200175ba7f40ef5701e0636ccd82f9f048b5d949ea70d4bead243f041054
                                                                                                                                                                              • Instruction ID: 066672279fb6fdae9836c2dcee111eee1fbb7ccffcc1ffbf2bea6a5a1071ae00
                                                                                                                                                                              • Opcode Fuzzy Hash: 9c8a200175ba7f40ef5701e0636ccd82f9f048b5d949ea70d4bead243f041054
                                                                                                                                                                              • Instruction Fuzzy Hash: 4213AC70C002989FDB25DF68C894BEEBBB1AF59304F1481DED44967382DB785A89CF91
                                                                                                                                                                              Uniqueness

                                                                                                                                                                              Uniqueness Score: -1.00%

                                                                                                                                                                              Function 0045A490 Relevance: 35.9, Strings: 28, Instructions: 886COMMON
                                                                                                                                                                              Download Yara Rule

                                                                                                                                                                              Control-flow Graph

                                                                                                                                                                              • Executed
                                                                                                                                                                              • Not Executed
                                                                                                                                                                              control_flow_graph 18492 45a490-45a4c2 18493 45a4c4-45a4ee 18492->18493 18494 45a4f0-45a514 18492->18494 18495 45a51a-45a552 call 4097d0 call 469d40 call 40b1a0 18493->18495 18494->18495 18502 45a575-45a586 call 4627d0 18495->18502 18503 45a554-45a568 call 40b270 18495->18503 18509 45abf0-45abf7 18502->18509 18510 45a58c-45a5ac call 46a4a0 18502->18510 18506 45a56d-45a56f 18503->18506 18506->18502 18508 45ac08-45ac0f 18506->18508 18511 45ac37-45ac61 call 4097d0 18508->18511 18512 45ac11-45ac35 call 40e5b0 18508->18512 18509->18511 18514 45abf9-45ac00 call 40b300 18509->18514 18521 45a5b0-45a5b4 18510->18521 18520 45ac66-45ac99 call 469d40 call 40b1a0 18511->18520 18512->18520 18522 45ac05 18514->18522 18538 45acbc-45accd call 4627d0 18520->18538 18539 45ac9b-45acaf call 40b270 18520->18539 18524 45abdb-45abee call 41ab40 18521->18524 18525 45a5ba-45a5c6 18521->18525 18522->18508 18524->18508 18524->18509 18526 45a5cc-45a5d5 call 4627d0 18525->18526 18527 45abcb-45abd6 call 466d00 18525->18527 18526->18527 18537 45a5db-45a5ed call 462870 call 462800 18526->18537 18527->18521 18553 45a5f2-45a603 call 461af0 18537->18553 18546 45acd3-45acea call 46a4a0 18538->18546 18547 45b339-45b340 18538->18547 18545 45acb4-45acb6 18539->18545 18545->18538 18549 45b351-45b388 call 402af0 * 2 18545->18549 18558 45acf0-45acf4 18546->18558 18547->18549 18551 45b342-45b349 call 40b300 18547->18551 18559 45b34e 18551->18559 18553->18527 18565 45a609-45a62e call 461c00 call 46a4a0 18553->18565 18562 45b327-45b337 call 41ab40 18558->18562 18563 45acfa-45ad06 18558->18563 18559->18549 18562->18547 18562->18549 18566 45b311-45b322 call 466d00 18563->18566 18567 45ad0c-45ad15 call 4627d0 18563->18567 18580 45a630-45a634 18565->18580 18566->18558 18567->18566 18577 45ad1b-45ad2d call 462870 call 462800 18567->18577 18589 45ad32-45ad43 call 461af0 18577->18589 18581 45abaf-45abc6 call 41ab40 call 461bb0 18580->18581 18582 45a63a-45a64c call 4627d0 18580->18582 18581->18553 18590 45a652-45a66f call 4655d0 18582->18590 18591 45ab9f-45abaa call 466d00 18582->18591 18589->18566 18599 45ad49-45ad6b call 461c00 call 46a4a0 18589->18599 18602 45a675-45a67f 18590->18602 18603 45a708-45a725 call 4655d0 18590->18603 18591->18580 18615 45ad70-45ad74 18599->18615 18606 45a681-45a68a 18602->18606 18612 45a7c6-45a7e3 call 4655d0 18603->18612 18613 45a72b-45a72f 18603->18613 18609 45a68c-45a699 18606->18609 18610 45a69b-45a6ed call 469e70 call 465430 call 402af0 call 40b1a0 18606->18610 18609->18606 18610->18603 18660 45a6ef-45a703 call 40b270 18610->18660 18626 45a7e5-45a818 call 409940 call 465450 18612->18626 18627 45a81d-45a846 call 40aaa0 18612->18627 18613->18612 18617 45a735-45a73f 18613->18617 18619 45b2f8-45b30c call 41ab40 call 461bb0 18615->18619 18620 45ad7a-45ad8c call 4627d0 18615->18620 18622 45a741-45a74a 18617->18622 18619->18589 18639 45b2e2-45b2f3 call 466d00 18620->18639 18640 45ad92-45adaf call 4655d0 18620->18640 18628 45a74c-45a759 18622->18628 18629 45a75b-45a7ab call 469e70 call 465430 call 402af0 call 40b1a0 18622->18629 18665 45a974-45a9b2 call 40ab00 call 4e2a50 18626->18665 18645 45a876-45a88f call 4029f0 18627->18645 18646 45a848-45a874 call 40ab30 call 469e70 18627->18646 18628->18622 18629->18612 18688 45a7ad-45a7c1 call 40b270 18629->18688 18639->18615 18663 45adb5-45adbf 18640->18663 18664 45ae48-45ae65 call 4655d0 18640->18664 18670 45a892-45a89f 18645->18670 18646->18670 18660->18603 18672 45adc1-45adca 18663->18672 18685 45af06-45af23 call 4655d0 18664->18685 18686 45ae6b-45ae6f 18664->18686 18695 45ab67-45ab9a call 402af0 * 3 18665->18695 18696 45a9b8-45a9cf call 462870 call 462800 18665->18696 18676 45a8a1-45a8aa 18670->18676 18678 45adcc-45add9 18672->18678 18679 45addb-45ae2d call 469e70 call 465430 call 402af0 call 40b1a0 18672->18679 18683 45a8ac-45a8b9 18676->18683 18684 45a8bb-45a941 call 469e70 call 46a040 call 469dd0 call 465430 call 402af0 * 3 18676->18684 18678->18672 18679->18664 18741 45ae2f-45ae43 call 40b270 18679->18741 18683->18676 18785 45a954-45a95e 18684->18785 18786 45a943-45a94f call 402af0 18684->18786 18706 45af25-45af5c call 40e700 call 465450 18685->18706 18707 45af61-45af8a call 40aaa0 18685->18707 18686->18685 18692 45ae75-45ae7f 18686->18692 18688->18612 18699 45ae81-45ae8a 18692->18699 18695->18591 18735 45a9d0-45a9e1 call 461af0 18696->18735 18700 45ae8c-45ae99 18699->18700 18701 45ae9b-45aeeb call 469e70 call 465430 call 402af0 call 40b1a0 18699->18701 18700->18699 18701->18685 18770 45aeed-45af01 call 40b270 18701->18770 18739 45b0b8-45b0f3 call 40ab00 call 4e2a50 18706->18739 18726 45afd3-45afec call 4029f0 18707->18726 18727 45af8c-45af96 18707->18727 18746 45afef-45b085 call 40ab30 call 469e70 call 46a040 call 469dd0 call 465430 call 402af0 * 3 18726->18746 18734 45af98-45afa1 18727->18734 18742 45afa3-45afb0 18734->18742 18743 45afb2-45afd1 call 469e70 18734->18743 18758 45a9e7-45aa47 call 461c00 call 4029f0 * 2 call 40aaa0 call 46a190 18735->18758 18759 45ab5e-45ab64 call 4e62d8 18735->18759 18776 45b0f9-45b10b call 462870 call 462800 18739->18776 18777 45b2aa-45b2dd call 402af0 * 3 18739->18777 18741->18664 18742->18734 18743->18746 18834 45b087-45b093 call 402af0 18746->18834 18835 45b098-45b0a2 18746->18835 18813 45aa80-45aaa4 call 409250 call 46a190 18758->18813 18814 45aa49-45aa7b call 40aaa0 call 46a190 call 470d50 18758->18814 18759->18695 18770->18685 18796 45b110-45b121 call 461af0 18776->18796 18777->18639 18793 45a971 18785->18793 18794 45a960-45a96c call 402af0 18785->18794 18786->18785 18793->18665 18794->18793 18808 45b127-45b180 call 461c00 call 4029f0 * 2 call 409220 call 46a190 18796->18808 18809 45b2a1-45b2a7 call 4e62d8 18796->18809 18857 45b1b2-45b1e0 call 40aaa0 call 46a190 18808->18857 18858 45b182-45b1ad call 409220 call 46a190 call 470d50 18808->18858 18809->18777 18836 45aaa6-45aace call 409250 call 46a190 call 470d50 18813->18836 18837 45aad3-45ab59 call 40aad0 call 402fd0 call 402af0 * 2 call 461bb0 18813->18837 18814->18813 18834->18835 18841 45b0b5 18835->18841 18842 45b0a4-45b0b0 call 402af0 18835->18842 18836->18837 18837->18735 18841->18739 18842->18841 18874 45b1e2-45b214 call 40aaa0 call 46a190 call 470d50 18857->18874 18875 45b219-45b29c call 40aad0 call 402fd0 call 402af0 * 2 call 461bb0 18857->18875 18858->18857 18874->18875 18875->18796
                                                                                                                                                                              Strings
                                                                                                                                                                              Memory Dump Source
                                                                                                                                                                              • Source File: 00000000.00000002.2254819923.0000000000400000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                                              Joe Sandbox IDA Plugin
                                                                                                                                                                              • Snapshot File: hcaresult_0_2_400000_file.jbxd
                                                                                                                                                                              Yara matches
                                                                                                                                                                              Similarity
                                                                                                                                                                              • API ID: AttributesCreateDirectoryErrorFileLast
                                                                                                                                                                              • String ID: !$=+$!$=+$"2 =$"2 =$$28 3$$28 3$%1$%1$&+$'!8$'!8$)$)$*$6$6u(%$8;78$8;78$9115$9115$<290$<290$>($>(r)$w ]p$w ^p$|',!$|',!
                                                                                                                                                                              • API String ID: 674977465-1310367266
                                                                                                                                                                              • Opcode ID: cf79787d20b9fdde4aebdf231145ceb7cdc9beee516a7e86f7579d5da9f20a00
                                                                                                                                                                              • Instruction ID: 443d7c8e7de7a932d6356f6d7193eec45498cc015ea55a0ce504edb69b8ec486
                                                                                                                                                                              • Opcode Fuzzy Hash: cf79787d20b9fdde4aebdf231145ceb7cdc9beee516a7e86f7579d5da9f20a00
                                                                                                                                                                              • Instruction Fuzzy Hash: 8B92A170800298DEDB25DB65C9547DEBBB0AF11308F4401DED44A77292EBB81F89DF9A
                                                                                                                                                                              Uniqueness

                                                                                                                                                                              Uniqueness Score: -1.00%

                                                                                                                                                                              Function 004176B0 Relevance: 34.7, APIs: 8, Strings: 11, Instructions: 1401registryfileCOMMON
                                                                                                                                                                              Download Yara Rule
                                                                                                                                                                              APIs
                                                                                                                                                                              • GetUserNameA.ADVAPI32(?,00000104), ref: 004177CC
                                                                                                                                                                              • CopyFileA.KERNEL32(?,?,00000000), ref: 00417A9B
                                                                                                                                                                              • RegOpenKeyExA.KERNELBASE(80000001,?,00000000,00020006,?), ref: 00417B24
                                                                                                                                                                              • RegSetValueExA.KERNELBASE(?,?,00000000,00000001,?,?), ref: 00417B59
                                                                                                                                                                              • RegCloseKey.ADVAPI32(?), ref: 00417B62
                                                                                                                                                                              • CopyFileA.KERNEL32(?,?,00000000), ref: 00417F3D
                                                                                                                                                                                • Part of subcall function 004160B0: GetModuleHandleA.KERNEL32(3B263619,?), ref: 00416186
                                                                                                                                                                                • Part of subcall function 004160B0: GetProcAddress.KERNEL32(00000000,34312111), ref: 00416191
                                                                                                                                                                                • Part of subcall function 004160B0: CreateProcessA.KERNELBASE(00000000,?,00000000,00000000,00000000,00000000,00000000,00000000,00000044,?), ref: 004161E1
                                                                                                                                                                              • __Xtime_get_ticks.LIBCPMT ref: 00418832
                                                                                                                                                                              • __ehfuncinfo$??2@YAPAXIABUnothrow_t@std@@@Z.LIBCMT ref: 00418840
                                                                                                                                                                              Strings
                                                                                                                                                                              Memory Dump Source
                                                                                                                                                                              • Source File: 00000000.00000002.2254819923.0000000000400000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                                              Joe Sandbox IDA Plugin
                                                                                                                                                                              • Snapshot File: hcaresult_0_2_400000_file.jbxd
                                                                                                                                                                              Yara matches
                                                                                                                                                                              Similarity
                                                                                                                                                                              • API ID: CopyFile$AddressCloseCreateHandleModuleNameOpenProcProcessUnothrow_t@std@@@UserValueXtime_get_ticks__ehfuncinfo$??2@
                                                                                                                                                                              • String ID: ".?9$/$3$F/!.$H$I5=I$\$\$ps{!$wz$ps{!8wz$|6,0
                                                                                                                                                                              • API String ID: 3014538992-93314115
                                                                                                                                                                              • Opcode ID: e44c68f8324a9d898aa1e99d1a7a8950320aa0563ef42a9040ceb01c8f098bae
                                                                                                                                                                              • Instruction ID: dd7755f2b3b60df83438b1c40db03fd9a69dbbc7292c3b7d1adc47f217cdb092
                                                                                                                                                                              • Opcode Fuzzy Hash: e44c68f8324a9d898aa1e99d1a7a8950320aa0563ef42a9040ceb01c8f098bae
                                                                                                                                                                              • Instruction Fuzzy Hash: ADD2F370C042588FDF15CF64C9597EEBBB1AF15308F14829EE0497B292EB785AC8CB95
                                                                                                                                                                              Uniqueness

                                                                                                                                                                              Uniqueness Score: -1.00%

                                                                                                                                                                              Function 004378A0 Relevance: 34.3, APIs: 4, Strings: 15, Instructions: 1023stringCOMMON
                                                                                                                                                                              Download Yara Rule
                                                                                                                                                                              APIs
                                                                                                                                                                              • SHGetFolderPathA.SHELL32(00000000,0000001A,00000000,00000000,?), ref: 004379A8
                                                                                                                                                                              • GetPrivateProfileSectionNamesA.KERNEL32(?,00001000,?), ref: 00437A51
                                                                                                                                                                              • GetPrivateProfileStringA.KERNEL32(?,3D203202,00000000,?,00000104,?), ref: 00437B09
                                                                                                                                                                              • lstrlenA.KERNEL32(?), ref: 0043865B
                                                                                                                                                                              Strings
                                                                                                                                                                              Memory Dump Source
                                                                                                                                                                              • Source File: 00000000.00000002.2254819923.0000000000400000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                                              Joe Sandbox IDA Plugin
                                                                                                                                                                              • Snapshot File: hcaresult_0_2_400000_file.jbxd
                                                                                                                                                                              Yara matches
                                                                                                                                                                              Similarity
                                                                                                                                                                              • API ID: PrivateProfile$FolderNamesPathSectionStringlstrlen
                                                                                                                                                                              • String ID: $ 1$$28 3$(:$$)u53$/$0>4<$3& :0>45$3& :0>45$7$<290$E$\$\$cannot use operator[] with a string argument with
                                                                                                                                                                              • API String ID: 1311570089-3057292652
                                                                                                                                                                              • Opcode ID: 81aeb78f60b4245dd423f2f49d8adf1543301c7dc42bfe6c9f11075fc0062a50
                                                                                                                                                                              • Instruction ID: ddf5894e4190de8f0e61275d0d4fb3d3b3478f7ba823619425044a5b04d8193a
                                                                                                                                                                              • Opcode Fuzzy Hash: 81aeb78f60b4245dd423f2f49d8adf1543301c7dc42bfe6c9f11075fc0062a50
                                                                                                                                                                              • Instruction Fuzzy Hash: 77A20570D04258DBDF24DF64C844BDEBBB4AF19308F1441DEE449A7282EB789A89CF95
                                                                                                                                                                              Uniqueness

                                                                                                                                                                              Uniqueness Score: -1.00%

                                                                                                                                                                              Function 0042B670 Relevance: 27.6, APIs: 2, Strings: 13, Instructions: 1311COMMON
                                                                                                                                                                              Download Yara Rule
                                                                                                                                                                              APIs
                                                                                                                                                                              • SHGetFolderPathA.SHELL32(00000000,?,00000000,00000000,?,?,?,21273A3A,?,?,?,?), ref: 0042B7A1
                                                                                                                                                                              • __ehfuncinfo$??2@YAPAXIABUnothrow_t@std@@@Z.LIBCMT ref: 0042C4A7
                                                                                                                                                                              Strings
                                                                                                                                                                              Memory Dump Source
                                                                                                                                                                              • Source File: 00000000.00000002.2254819923.0000000000400000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                                              Joe Sandbox IDA Plugin
                                                                                                                                                                              • Snapshot File: hcaresult_0_2_400000_file.jbxd
                                                                                                                                                                              Yara matches
                                                                                                                                                                              Similarity
                                                                                                                                                                              • API ID: FolderPathUnothrow_t@std@@@__ehfuncinfo$??2@
                                                                                                                                                                              • String ID: #;,$#;,$$$&:90$'!8$9%!$::'!$::'!$@$\$\$\$cannot use operator[] with a string argument with
                                                                                                                                                                              • API String ID: 2082173394-2580547700
                                                                                                                                                                              • Opcode ID: 93de412a9f55b99bffdb22614eea30817ded2027ad5d2aec33d4b94db09519ae
                                                                                                                                                                              • Instruction ID: a10301453e4d2261c24946cc2977acfa72d8dfac12b8f5d12bf0412471090912
                                                                                                                                                                              • Opcode Fuzzy Hash: 93de412a9f55b99bffdb22614eea30817ded2027ad5d2aec33d4b94db09519ae
                                                                                                                                                                              • Instruction Fuzzy Hash: AAC2E270D00268CBDB24DF68DD447EEBBB0AF55304F14819EE449AB282DB785E88CF95
                                                                                                                                                                              Uniqueness

                                                                                                                                                                              Uniqueness Score: -1.00%

                                                                                                                                                                              Function 0040B300 Relevance: 23.0, APIs: 11, Strings: 2, Instructions: 297fileCOMMON
                                                                                                                                                                              Download Yara Rule

                                                                                                                                                                              Control-flow Graph

                                                                                                                                                                              • Executed
                                                                                                                                                                              • Not Executed
                                                                                                                                                                              control_flow_graph 20632 40b300-40b33f call 4dbdc9 20635 40b712-40b714 std::_Throw_Cpp_error 20632->20635 20636 40b345-40b34f 20632->20636 20637 40b719-40b725 std::_Throw_Cpp_error 20635->20637 20636->20637 20638 40b355-40b39e 20636->20638 20639 40b72a call 402400 20637->20639 20638->20639 20640 40b3a4-40b42f call 46daa0 call 402af0 * 2 FindFirstFileA 20638->20640 20643 40b72f-40b734 call 4e1ea0 20639->20643 20652 40b435-40b43e 20640->20652 20653 40b65a 20640->20653 20654 40b440-40b445 20652->20654 20655 40b65c-40b666 20653->20655 20654->20654 20656 40b447-40b499 20654->20656 20657 40b694-40b6b0 20655->20657 20658 40b668-40b674 20655->20658 20656->20639 20672 40b49f-40b4d1 call 46daa0 20656->20672 20661 40b6b2-40b6be 20657->20661 20662 40b6da-40b711 call 4dbdda 20657->20662 20659 40b676-40b684 20658->20659 20660 40b68a-40b691 call 4dcb23 20658->20660 20659->20643 20659->20660 20660->20657 20665 40b6d0-40b6d7 call 4dcb23 20661->20665 20666 40b6c0-40b6ce 20661->20666 20665->20662 20666->20643 20666->20665 20677 40b4d4-40b4d9 20672->20677 20677->20677 20678 40b4db-40b589 call 468210 call 402af0 * 3 20677->20678 20687 40b5a9-40b5c2 SetFileAttributesA 20678->20687 20688 40b58b-40b592 call 40b300 20678->20688 20690 40b650-40b658 GetLastError 20687->20690 20691 40b5c8-40b5dc DeleteFileA 20687->20691 20688->20687 20690->20655 20691->20690 20692 40b5de-40b5f1 FindNextFileA 20691->20692 20692->20652 20693 40b5f7-40b60b FindClose GetLastError 20692->20693 20693->20655 20694 40b60d-40b613 20693->20694 20695 40b615 20694->20695 20696 40b617-40b625 SetFileAttributesA 20694->20696 20695->20696 20697 40b632-40b636 20696->20697 20698 40b627-40b630 20696->20698 20699 40b638 20697->20699 20700 40b63a-40b643 RemoveDirectoryA 20697->20700 20698->20655 20699->20700 20700->20653 20702 40b645-40b64e 20700->20702 20702->20655
                                                                                                                                                                              APIs
                                                                                                                                                                              • FindFirstFileA.KERNELBASE(?,?,DT,?,?,?,\*.*,00000004), ref: 0040B423
                                                                                                                                                                              • std::_Throw_Cpp_error.LIBCPMT ref: 0040B714
                                                                                                                                                                              • std::_Throw_Cpp_error.LIBCPMT ref: 0040B725
                                                                                                                                                                              Strings
                                                                                                                                                                              Memory Dump Source
                                                                                                                                                                              • Source File: 00000000.00000002.2254819923.0000000000400000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                                              Joe Sandbox IDA Plugin
                                                                                                                                                                              • Snapshot File: hcaresult_0_2_400000_file.jbxd
                                                                                                                                                                              Yara matches
                                                                                                                                                                              Similarity
                                                                                                                                                                              • API ID: Cpp_errorThrow_std::_$FileFindFirst
                                                                                                                                                                              • String ID: \*.*$DT
                                                                                                                                                                              • API String ID: 1487763586-2523999094
                                                                                                                                                                              • Opcode ID: 4a29aba26bec869d3660ca0283637983aa92af40795304ad3570c6c34889b601
                                                                                                                                                                              • Instruction ID: ac939954ec097e0f466dd701cbb477dfb9ac36ed8f0a1d488013fd253ef2818d
                                                                                                                                                                              • Opcode Fuzzy Hash: 4a29aba26bec869d3660ca0283637983aa92af40795304ad3570c6c34889b601
                                                                                                                                                                              • Instruction Fuzzy Hash: FCC1CF70D00249CFDB10DFA4C8487EEBBB1FF55314F14426AE044BB292E7B45A88DB99
                                                                                                                                                                              Uniqueness

                                                                                                                                                                              Uniqueness Score: -1.00%

                                                                                                                                                                              Function 0043C800 Relevance: 21.2, APIs: 9, Strings: 3, Instructions: 163libraryloaderCOMMON
                                                                                                                                                                              Download Yara Rule

                                                                                                                                                                              Control-flow Graph

                                                                                                                                                                              • Executed
                                                                                                                                                                              • Not Executed
                                                                                                                                                                              control_flow_graph 20704 43c800-43c80d 20705 43c813-43c82a 20704->20705 20706 43ca57-43ca5c 20704->20706 20707 43c830-43c83b 20705->20707 20707->20707 20708 43c83d-43c855 LoadLibraryA 20707->20708 20708->20706 20709 43c85b-43c86f 20708->20709 20710 43c873-43c87e 20709->20710 20710->20710 20711 43c880-43c8ab GetProcAddress 20710->20711 20712 43c8b1-43c8bc 20711->20712 20712->20712 20713 43c8be-43c8ed GetProcAddress 20712->20713 20714 43c8f0-43c8fb 20713->20714 20714->20714 20715 43c8fd-43c929 GetProcAddress 20714->20715 20716 43c930-43c93b 20715->20716 20716->20716 20717 43c93d-43c95f GetProcAddress 20716->20717 20718 43c963-43c96e 20717->20718 20718->20718 20719 43c970-43c99c GetProcAddress 20718->20719 20720 43c9a2-43c9ad 20719->20720 20720->20720 20721 43c9af-43c9db GetProcAddress 20720->20721 20722 43c9e1-43c9ec 20721->20722 20722->20722 20723 43c9ee-43ca0b GetProcAddress 20722->20723 20724 43ca4b-43ca51 FreeLibrary 20723->20724 20725 43ca0d-43ca14 20723->20725 20724->20706 20725->20724 20726 43ca16-43ca1d 20725->20726 20726->20724 20727 43ca1f-43ca26 20726->20727 20727->20724 20728 43ca28-43ca2f 20727->20728 20728->20724 20729 43ca31-43ca38 20728->20729 20729->20724 20730 43ca3a-43ca3c 20729->20730 20730->20724 20731 43ca3e-43ca4a 20730->20731
                                                                                                                                                                              APIs
                                                                                                                                                                              • LoadLibraryA.KERNELBASE($2!9"440t?01), ref: 0043C845
                                                                                                                                                                              • GetProcAddress.KERNEL32(00000000,?), ref: 0043C890
                                                                                                                                                                              • GetProcAddress.KERNEL32(?), ref: 0043C8CC
                                                                                                                                                                              • GetProcAddress.KERNEL32(39213204), ref: 0043C90B
                                                                                                                                                                              • GetProcAddress.KERNEL32(39213204), ref: 0043C94B
                                                                                                                                                                              • GetProcAddress.KERNEL32(?), ref: 0043C97E
                                                                                                                                                                              • GetProcAddress.KERNEL32(39213204), ref: 0043C9BD
                                                                                                                                                                              • GetProcAddress.KERNEL32(39213204), ref: 0043C9FC
                                                                                                                                                                              • FreeLibrary.KERNEL32 ref: 0043CA51
                                                                                                                                                                              Strings
                                                                                                                                                                              Memory Dump Source
                                                                                                                                                                              • Source File: 00000000.00000002.2254819923.0000000000400000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                                              Joe Sandbox IDA Plugin
                                                                                                                                                                              • Snapshot File: hcaresult_0_2_400000_file.jbxd
                                                                                                                                                                              Yara matches
                                                                                                                                                                              Similarity
                                                                                                                                                                              • API ID: AddressProc$Library$FreeLoad
                                                                                                                                                                              • String ID: $2!9"440t?01$2+$4=(
                                                                                                                                                                              • API String ID: 2449869053-1843404136
                                                                                                                                                                              • Opcode ID: f423dc4987d352ac9937d848cd9fb5e714644b23985bd1ebfd8db31034e5f883
                                                                                                                                                                              • Instruction ID: b30b69da85a4116f3a82840f577a0ae83ca26ffad3fe6e2f7a477cc7da58665a
                                                                                                                                                                              • Opcode Fuzzy Hash: f423dc4987d352ac9937d848cd9fb5e714644b23985bd1ebfd8db31034e5f883
                                                                                                                                                                              • Instruction Fuzzy Hash: 4A710270814288CAEB09CFA4E8487EEBBF8EF2A308F10406ED444BA621D375461DDF65
                                                                                                                                                                              Uniqueness

                                                                                                                                                                              Uniqueness Score: -1.00%

                                                                                                                                                                              Function 00423670 Relevance: 18.7, APIs: 1, Strings: 9, Instructions: 1183COMMON
                                                                                                                                                                              Download Yara Rule
                                                                                                                                                                              APIs
                                                                                                                                                                              • SHGetFolderPathA.SHELL32(00000000,?,00000000,00000000,?,?,?,?), ref: 004237AB
                                                                                                                                                                              Strings
                                                                                                                                                                              Memory Dump Source
                                                                                                                                                                              • Source File: 00000000.00000002.2254819923.0000000000400000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                                              Joe Sandbox IDA Plugin
                                                                                                                                                                              • Snapshot File: hcaresult_0_2_400000_file.jbxd
                                                                                                                                                                              Yara matches
                                                                                                                                                                              Similarity
                                                                                                                                                                              • API ID: FolderPath
                                                                                                                                                                              • String ID: $"2 =$#;,$#;,$'!8$@$\$\$\
                                                                                                                                                                              • API String ID: 1514166925-759053580
                                                                                                                                                                              • Opcode ID: caef5bf67891b5adbdf502c28c531be5ecf46fc3c45987f65919bad8b113327f
                                                                                                                                                                              • Instruction ID: 5e4413c7f963dead2597c5e4b13444e0529a0f2600b9e83200ec1b3ca6f7b0c6
                                                                                                                                                                              • Opcode Fuzzy Hash: caef5bf67891b5adbdf502c28c531be5ecf46fc3c45987f65919bad8b113327f
                                                                                                                                                                              • Instruction Fuzzy Hash: 3CB2D070E00268CBDB14DF68D9447EEBBB1BF55304F14429EE449AB382D7786E84CB95
                                                                                                                                                                              Uniqueness

                                                                                                                                                                              Uniqueness Score: -1.00%

                                                                                                                                                                              Function 0041E220 Relevance: 18.3, APIs: 12, Instructions: 260networksleepCOMMON
                                                                                                                                                                              Download Yara Rule

                                                                                                                                                                              Control-flow Graph

                                                                                                                                                                              • Executed
                                                                                                                                                                              • Not Executed
                                                                                                                                                                              control_flow_graph 21069 41e220-41e244 21070 41e5d8-41e5e9 21069->21070 21071 41e24a 21069->21071 21072 41e250-41e258 21071->21072 21073 41e293-41e2dc setsockopt recv WSAGetLastError 21072->21073 21074 41e25a-41e280 call 41d430 21072->21074 21073->21070 21076 41e2e2-41e2e5 21073->21076 21077 41e285-41e28d 21074->21077 21078 41e536-41e55f call 4dc299 __ehfuncinfo$??2@YAPAXIABUnothrow_t@std@@@Z 21076->21078 21079 41e2eb-41e2f2 21076->21079 21077->21073 21080 41e5c3-41e5d2 Sleep 21077->21080 21084 41e5bb-41e5bd Sleep 21078->21084 21087 41e561 21078->21087 21082 41e521-41e531 recv 21079->21082 21083 41e2f8-41e354 call 4680a0 recv 21079->21083 21080->21070 21080->21072 21082->21084 21091 41e35a-41e375 recv 21083->21091 21092 41e4cf-41e4dc 21083->21092 21084->21080 21089 41e563-41e569 21087->21089 21090 41e56b-41e5a3 call 41d840 21087->21090 21089->21084 21089->21090 21099 41e5a8-41e5b6 21090->21099 21091->21092 21093 41e37b-41e3b6 21091->21093 21095 41e50a-41e51c 21092->21095 21096 41e4de-41e4ea 21092->21096 21097 41e429-41e489 call 4655d0 call 41d260 call 41dc70 21093->21097 21098 41e3b8-41e3bd 21093->21098 21095->21084 21100 41e500-41e507 call 4dcb23 21096->21100 21101 41e4ec-41e4fa 21096->21101 21117 41e4b7-41e4cb 21097->21117 21118 41e48b-41e497 21097->21118 21104 41e3d3-41e3dd call 4680a0 21098->21104 21105 41e3bf-41e3d1 21098->21105 21099->21084 21100->21095 21101->21100 21106 41e5ea-41e5ef call 4e1ea0 21101->21106 21110 41e3e2-41e427 setsockopt recv 21104->21110 21105->21110 21110->21097 21117->21092 21119 41e499-41e4a7 21118->21119 21120 41e4ad-41e4af call 4dcb23 21118->21120 21119->21106 21119->21120 21122 41e4b4 21120->21122 21122->21117
                                                                                                                                                                              APIs
                                                                                                                                                                              • setsockopt.WS2_32(0000038C,0000FFFF,00001006,?,00000008), ref: 0041E2B2
                                                                                                                                                                              • recv.WS2_32(?,00000004,00000002), ref: 0041E2CD
                                                                                                                                                                              • WSAGetLastError.WS2_32 ref: 0041E2D1
                                                                                                                                                                              • recv.WS2_32(00000000,0000000C,00000002,00000000), ref: 0041E34F
                                                                                                                                                                              • recv.WS2_32(00000000,0000000C,00000008), ref: 0041E370
                                                                                                                                                                              • setsockopt.WS2_32(0000FFFF,00001006,?,00000008,?), ref: 0041E40C
                                                                                                                                                                              • recv.WS2_32(00000000,?,00000008), ref: 0041E427
                                                                                                                                                                                • Part of subcall function 0041D430: WSAStartup.WS2_32 ref: 0041D45A
                                                                                                                                                                                • Part of subcall function 0041D430: getaddrinfo.WS2_32(?,?,?,00544318), ref: 0041D4DC
                                                                                                                                                                                • Part of subcall function 0041D430: socket.WS2_32(?,?,?), ref: 0041D4FD
                                                                                                                                                                                • Part of subcall function 0041D430: connect.WS2_32(00000000,?,?), ref: 0041D511
                                                                                                                                                                                • Part of subcall function 0041D430: closesocket.WS2_32(00000000), ref: 0041D51D
                                                                                                                                                                                • Part of subcall function 0041D430: freeaddrinfo.WS2_32(?,?,?,?,00544318,?,?), ref: 0041D52A
                                                                                                                                                                                • Part of subcall function 0041D430: WSACleanup.WS2_32 ref: 0041D530
                                                                                                                                                                              • recv.WS2_32(?,00000004,00000008), ref: 0041E52F
                                                                                                                                                                              • __Xtime_get_ticks.LIBCPMT ref: 0041E536
                                                                                                                                                                              • __ehfuncinfo$??2@YAPAXIABUnothrow_t@std@@@Z.LIBCMT ref: 0041E544
                                                                                                                                                                              • Sleep.KERNELBASE(00000001,00000000,?,00002710,00000000), ref: 0041E5BD
                                                                                                                                                                              • Sleep.KERNELBASE(00000064,?,00002710,00000000), ref: 0041E5C5
                                                                                                                                                                              Memory Dump Source
                                                                                                                                                                              • Source File: 00000000.00000002.2254819923.0000000000400000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                                              Joe Sandbox IDA Plugin
                                                                                                                                                                              • Snapshot File: hcaresult_0_2_400000_file.jbxd
                                                                                                                                                                              Yara matches
                                                                                                                                                                              Similarity
                                                                                                                                                                              • API ID: recv$Sleepsetsockopt$CleanupErrorLastStartupUnothrow_t@std@@@Xtime_get_ticks__ehfuncinfo$??2@closesocketconnectfreeaddrinfogetaddrinfosocket
                                                                                                                                                                              • String ID:
                                                                                                                                                                              • API String ID: 4125349891-0
                                                                                                                                                                              • Opcode ID: 4f16ea895f53ca580b03d975fca0a4645a27b0bc826a97079c23b567da2f2c96
                                                                                                                                                                              • Instruction ID: 445f019a92e67a07c5577944838b6ba889f153fe2f7e7f97530082f2635256d3
                                                                                                                                                                              • Opcode Fuzzy Hash: 4f16ea895f53ca580b03d975fca0a4645a27b0bc826a97079c23b567da2f2c96
                                                                                                                                                                              • Instruction Fuzzy Hash: BFB1BB74D00208DFDB10DFA5DC49BDEBBB1BF55308F20421AE514AB2D2E7B85989DB85
                                                                                                                                                                              Uniqueness

                                                                                                                                                                              Uniqueness Score: -1.00%

                                                                                                                                                                              Function 004224D9 Relevance: 17.4, Strings: 13, Instructions: 1131COMMON
                                                                                                                                                                              Download Yara Rule
                                                                                                                                                                              Strings
                                                                                                                                                                              Memory Dump Source
                                                                                                                                                                              • Source File: 00000000.00000002.2254819923.0000000000400000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                                              Joe Sandbox IDA Plugin
                                                                                                                                                                              • Snapshot File: hcaresult_0_2_400000_file.jbxd
                                                                                                                                                                              Yara matches
                                                                                                                                                                              Similarity
                                                                                                                                                                              • API ID:
                                                                                                                                                                              • String ID: $#;,$$28 3$(:$$(:$$)$3& :0>45$<290$@$\$\$\$cannot use operator[] with a string argument with
                                                                                                                                                                              • API String ID: 0-679915065
                                                                                                                                                                              • Opcode ID: f63a384c59880e2be165f08f3d30151c608e8e3c4723f2fe89255a400813af35
                                                                                                                                                                              • Instruction ID: bd44913ac096deb082ad73b4e6b56e58228a4cafe484209f312c39f122f53dde
                                                                                                                                                                              • Opcode Fuzzy Hash: f63a384c59880e2be165f08f3d30151c608e8e3c4723f2fe89255a400813af35
                                                                                                                                                                              • Instruction Fuzzy Hash: F0A2F170E002689BDB14DF68D9447EEBBB0BF15304F14419EE449AB382DB78AE85CF95
                                                                                                                                                                              Uniqueness

                                                                                                                                                                              Uniqueness Score: -1.00%

                                                                                                                                                                              Function 00422852 Relevance: 14.6, Strings: 11, Instructions: 811COMMON
                                                                                                                                                                              Download Yara Rule
                                                                                                                                                                              Strings
                                                                                                                                                                              Memory Dump Source
                                                                                                                                                                              • Source File: 00000000.00000002.2254819923.0000000000400000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                                              Joe Sandbox IDA Plugin
                                                                                                                                                                              • Snapshot File: hcaresult_0_2_400000_file.jbxd
                                                                                                                                                                              Yara matches
                                                                                                                                                                              Similarity
                                                                                                                                                                              • API ID:
                                                                                                                                                                              • String ID: $ $$28 3$(:$$(:$$)$3& :0>45$<290$\$\$cannot use operator[] with a string argument with
                                                                                                                                                                              • API String ID: 0-3638146340
                                                                                                                                                                              • Opcode ID: fe2ab4d2ad1567dab63afe1e3d22029045f78d3a9c3f3e081433c69fa4c23e38
                                                                                                                                                                              • Instruction ID: eb2dd55f6141e2d675d9ff2e9574dc4233fb147083f3686e6ff04d1ed0a00ccf
                                                                                                                                                                              • Opcode Fuzzy Hash: fe2ab4d2ad1567dab63afe1e3d22029045f78d3a9c3f3e081433c69fa4c23e38
                                                                                                                                                                              • Instruction Fuzzy Hash: AC72E270E00268DBDB24DF68D9447EEBBB0BF15304F14429ED44967382DB789A85CF95
                                                                                                                                                                              Uniqueness

                                                                                                                                                                              Uniqueness Score: -1.00%

                                                                                                                                                                              Function 0040C490 Relevance: 14.4, APIs: 4, Strings: 4, Instructions: 416registryCOMMON
                                                                                                                                                                              Download Yara Rule
                                                                                                                                                                              APIs
                                                                                                                                                                                • Part of subcall function 0040AF30: GetCurrentProcess.KERNEL32(00000000,?,?,0040C4BE), ref: 0040AF3F
                                                                                                                                                                                • Part of subcall function 0040AF30: IsWow64Process.KERNEL32(00000000,?,0040C4BE), ref: 0040AF46
                                                                                                                                                                              • RegOpenKeyExA.KERNELBASE(80000002,?,00000000,-00020019,00000000,3B3F3D07,3B3F3D08,00000000), ref: 0040C571
                                                                                                                                                                              • RegQueryValueExA.KERNELBASE(00000000,3D37321F,00000000,00020019,?,00000400), ref: 0040C5D1
                                                                                                                                                                              • RegCloseKey.ADVAPI32(00000000), ref: 0040C600
                                                                                                                                                                              • GetCurrentHwProfileA.ADVAPI32(?), ref: 0040C687
                                                                                                                                                                              Strings
                                                                                                                                                                              Memory Dump Source
                                                                                                                                                                              • Source File: 00000000.00000002.2254819923.0000000000400000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                                              Joe Sandbox IDA Plugin
                                                                                                                                                                              • Snapshot File: hcaresult_0_2_400000_file.jbxd
                                                                                                                                                                              Yara matches
                                                                                                                                                                              Similarity
                                                                                                                                                                              • API ID: CurrentProcess$CloseOpenProfileQueryValueWow64
                                                                                                                                                                              • String ID: 9 6$_$_$___
                                                                                                                                                                              • API String ID: 165412945-709806127
                                                                                                                                                                              • Opcode ID: 6d39ac5e6559a84b2e37df2bcb40e37a48af7f12a317e9fc37ea14b32202a4b5
                                                                                                                                                                              • Instruction ID: b6e6a19ac1b1cbb26a093045ac3f8d51f6027d5e17e321542ac0e50d899cf592
                                                                                                                                                                              • Opcode Fuzzy Hash: 6d39ac5e6559a84b2e37df2bcb40e37a48af7f12a317e9fc37ea14b32202a4b5
                                                                                                                                                                              • Instruction Fuzzy Hash: F502E370C00258DEDB15CFA4C894BEEBB74AF15308F1442AEE44577292EBB95B88CF95
                                                                                                                                                                              Uniqueness

                                                                                                                                                                              Uniqueness Score: -1.00%

                                                                                                                                                                              Function 004160B0 Relevance: 12.4, APIs: 3, Strings: 4, Instructions: 162processlibraryloaderCOMMON
                                                                                                                                                                              Download Yara Rule
                                                                                                                                                                              APIs
                                                                                                                                                                              • GetModuleHandleA.KERNEL32(3B263619,?), ref: 00416186
                                                                                                                                                                              • GetProcAddress.KERNEL32(00000000,34312111), ref: 00416191
                                                                                                                                                                              • CreateProcessA.KERNELBASE(00000000,?,00000000,00000000,00000000,00000000,00000000,00000000,00000044,?), ref: 004161E1
                                                                                                                                                                              Strings
                                                                                                                                                                              Memory Dump Source
                                                                                                                                                                              • Source File: 00000000.00000002.2254819923.0000000000400000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                                              Joe Sandbox IDA Plugin
                                                                                                                                                                              • Snapshot File: hcaresult_0_2_400000_file.jbxd
                                                                                                                                                                              Yara matches
                                                                                                                                                                              Similarity
                                                                                                                                                                              • API ID: AddressCreateHandleModuleProcProcess
                                                                                                                                                                              • String ID: 3;kk$589.$D$t?01
                                                                                                                                                                              • API String ID: 3485509086-2234503220
                                                                                                                                                                              • Opcode ID: 60fdf11987f52a907e9139c4ff7ff0b270cfe81cb3f605bd94377336c0d26766
                                                                                                                                                                              • Instruction ID: 584c3f6ed54951fa46cdd62f7e73c497529d8eb16fd8f44b13c31fb8133d280f
                                                                                                                                                                              • Opcode Fuzzy Hash: 60fdf11987f52a907e9139c4ff7ff0b270cfe81cb3f605bd94377336c0d26766
                                                                                                                                                                              • Instruction Fuzzy Hash: AE51F170E00258AFDB14CFA8CC85BEEBBB4FF44704F14419EE509AB292D778A945CB84
                                                                                                                                                                              Uniqueness

                                                                                                                                                                              Uniqueness Score: -1.00%

                                                                                                                                                                              Function 00422360 Relevance: 10.9, APIs: 1, Strings: 5, Instructions: 365COMMON
                                                                                                                                                                              Download Yara Rule
                                                                                                                                                                              APIs
                                                                                                                                                                              • SHGetFolderPathA.SHELL32(00000000,?,00000000,00000000,?,?,?,3& :0>45,?,?,?,?), ref: 00422491
                                                                                                                                                                              Strings
                                                                                                                                                                              Memory Dump Source
                                                                                                                                                                              • Source File: 00000000.00000002.2254819923.0000000000400000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                                              Joe Sandbox IDA Plugin
                                                                                                                                                                              • Snapshot File: hcaresult_0_2_400000_file.jbxd
                                                                                                                                                                              Yara matches
                                                                                                                                                                              Similarity
                                                                                                                                                                              • API ID: FolderPath
                                                                                                                                                                              • String ID: #;,$)$3& :0>45$\$cannot use operator[] with a string argument with
                                                                                                                                                                              • API String ID: 1514166925-1855882293
                                                                                                                                                                              • Opcode ID: 705680f525d4b3f802cd47da5f0cb166720df11a01530888af75cd8aa1bbae92
                                                                                                                                                                              • Instruction ID: 2cac8e893caf096c73f10a18816257fa98d3f374838489ee5a6c4980580f9952
                                                                                                                                                                              • Opcode Fuzzy Hash: 705680f525d4b3f802cd47da5f0cb166720df11a01530888af75cd8aa1bbae92
                                                                                                                                                                              • Instruction Fuzzy Hash: 6EF1BD70D04268DADB14DF64C955BDEBBB4BF15308F1482DEE44967282DBB81B88CF91
                                                                                                                                                                              Uniqueness

                                                                                                                                                                              Uniqueness Score: -1.00%

                                                                                                                                                                              Function 00406430 Relevance: 9.1, APIs: 4, Strings: 1, Instructions: 352COMMON
                                                                                                                                                                              Download Yara Rule
                                                                                                                                                                              APIs
                                                                                                                                                                              • ___std_fs_directory_iterator_advance@8.LIBCPMT ref: 004065C1
                                                                                                                                                                              • ___std_fs_directory_iterator_advance@8.LIBCPMT ref: 004065FE
                                                                                                                                                                              • ___std_fs_directory_iterator_advance@8.LIBCPMT ref: 004066F1
                                                                                                                                                                              • ___std_fs_directory_iterator_advance@8.LIBCPMT ref: 0040673E
                                                                                                                                                                              Strings
                                                                                                                                                                              Memory Dump Source
                                                                                                                                                                              • Source File: 00000000.00000002.2254819923.0000000000400000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                                              Joe Sandbox IDA Plugin
                                                                                                                                                                              • Snapshot File: hcaresult_0_2_400000_file.jbxd
                                                                                                                                                                              Yara matches
                                                                                                                                                                              Similarity
                                                                                                                                                                              • API ID: ___std_fs_directory_iterator_advance@8
                                                                                                                                                                              • String ID: .
                                                                                                                                                                              • API String ID: 2610647541-248832578
                                                                                                                                                                              • Opcode ID: 8417005a20e023fd73ba9afad58ff86ec2193d77c7355dce5408bdd34dd6c1b5
                                                                                                                                                                              • Instruction ID: 0ef23cfc4c65f78b20a5b115fbe71865ac88f3790106b09d81af8426c26c804f
                                                                                                                                                                              • Opcode Fuzzy Hash: 8417005a20e023fd73ba9afad58ff86ec2193d77c7355dce5408bdd34dd6c1b5
                                                                                                                                                                              • Instruction Fuzzy Hash: 5AD1D071900616DFCB20CF58C8947AEB7B4FF48328F15466AD816A77C0D73AAD65CB84
                                                                                                                                                                              Uniqueness

                                                                                                                                                                              Uniqueness Score: -1.00%

                                                                                                                                                                              Function 0041FA10 Relevance: 9.0, APIs: 4, Strings: 1, Instructions: 271fileCOMMON
                                                                                                                                                                              Download Yara Rule
                                                                                                                                                                              APIs
                                                                                                                                                                              • FindFirstFileA.KERNELBASE(?,?,?,?,?,?,?,?,?,?,?,0100790E,?,?,0100790E,0100790F), ref: 0041FAA5
                                                                                                                                                                              Strings
                                                                                                                                                                              Memory Dump Source
                                                                                                                                                                              • Source File: 00000000.00000002.2254819923.0000000000400000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                                              Joe Sandbox IDA Plugin
                                                                                                                                                                              • Snapshot File: hcaresult_0_2_400000_file.jbxd
                                                                                                                                                                              Yara matches
                                                                                                                                                                              Similarity
                                                                                                                                                                              • API ID: FileFindFirst
                                                                                                                                                                              • String ID: \
                                                                                                                                                                              • API String ID: 1974802433-2967466578
                                                                                                                                                                              • Opcode ID: c2a6168d3e0ac44845aec6a84b4bfa641a2ca9e67cddc6f64b4a54fc605115d6
                                                                                                                                                                              • Instruction ID: 0eabd7acd7812341df4d8f5e7d8ba5b9313bc1fcfed4fcfaeac043b0cd9dd738
                                                                                                                                                                              • Opcode Fuzzy Hash: c2a6168d3e0ac44845aec6a84b4bfa641a2ca9e67cddc6f64b4a54fc605115d6
                                                                                                                                                                              • Instruction Fuzzy Hash: F8B1D0708002498FDF15CFA8C8587FEBBB0BF15308F14425EE455AB292D7785A8ADB94
                                                                                                                                                                              Uniqueness

                                                                                                                                                                              Uniqueness Score: -1.00%

                                                                                                                                                                              Function 00431430 Relevance: 8.0, Strings: 6, Instructions: 493COMMON
                                                                                                                                                                              Download Yara Rule
                                                                                                                                                                              Strings
                                                                                                                                                                              Memory Dump Source
                                                                                                                                                                              • Source File: 00000000.00000002.2254819923.0000000000400000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                                              Joe Sandbox IDA Plugin
                                                                                                                                                                              • Snapshot File: hcaresult_0_2_400000_file.jbxd
                                                                                                                                                                              Yara matches
                                                                                                                                                                              Similarity
                                                                                                                                                                              • API ID: __fread_nolock
                                                                                                                                                                              • String ID: ' 1'865<$($-$-$P.^$n:
                                                                                                                                                                              • API String ID: 2638373210-269613232
                                                                                                                                                                              • Opcode ID: d3363137bc850aabcc61f2d02b65d685715bcac0377b4b823f16cf6892d1055e
                                                                                                                                                                              • Instruction ID: 06e47fb3e71705996d4c10820d621363cd6d4ebf6feef214284d50ab64b5b3c6
                                                                                                                                                                              • Opcode Fuzzy Hash: d3363137bc850aabcc61f2d02b65d685715bcac0377b4b823f16cf6892d1055e
                                                                                                                                                                              • Instruction Fuzzy Hash: 0722D170D00288DFDF14DFA8C9597EDBBB0AF15308F14819ED445AB382EBB85A48DB95
                                                                                                                                                                              Uniqueness

                                                                                                                                                                              Uniqueness Score: -1.00%

                                                                                                                                                                              Function 0045D9F0 Relevance: 7.7, APIs: 5, Instructions: 159sleepCOMMON
                                                                                                                                                                              Download Yara Rule
                                                                                                                                                                              APIs
                                                                                                                                                                              • GetCursorPos.USER32(?), ref: 0045DA07
                                                                                                                                                                              • GetCursorPos.USER32(?), ref: 0045DA15
                                                                                                                                                                              • Sleep.KERNELBASE(000003E9,?,?,00000000,?,?,?,?,?,?,?,?,0045DDB8), ref: 0045DACA
                                                                                                                                                                              • GetCursorPos.USER32(?), ref: 0045DAD1
                                                                                                                                                                              • Sleep.KERNELBASE(00000001,?,?,00000000,?,?,?,?,?,?,?,?,0045DDB8), ref: 0045DB87
                                                                                                                                                                              Memory Dump Source
                                                                                                                                                                              • Source File: 00000000.00000002.2254819923.0000000000400000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                                              Joe Sandbox IDA Plugin
                                                                                                                                                                              • Snapshot File: hcaresult_0_2_400000_file.jbxd
                                                                                                                                                                              Yara matches
                                                                                                                                                                              Similarity
                                                                                                                                                                              • API ID: Cursor$Sleep
                                                                                                                                                                              • String ID:
                                                                                                                                                                              • API String ID: 1847515627-0
                                                                                                                                                                              • Opcode ID: 1305e8b84abd8f11ed362210ed92b6921c6aed97f625362779b6103c1612edfd
                                                                                                                                                                              • Instruction ID: e8049105a74d3e0261715eac98f4d2121e3debad5535f3f1e8485cbb4cdad7bb
                                                                                                                                                                              • Opcode Fuzzy Hash: 1305e8b84abd8f11ed362210ed92b6921c6aed97f625362779b6103c1612edfd
                                                                                                                                                                              • Instruction Fuzzy Hash: 70519A31A082428FCB24CF18C4D0E6AB7E2EF89705F19499EE8859B352D735FD49CB85
                                                                                                                                                                              Uniqueness

                                                                                                                                                                              Uniqueness Score: -1.00%

                                                                                                                                                                              Function 004CB3C0 Relevance: 6.9, Strings: 4, Instructions: 1918COMMON
                                                                                                                                                                              Download Yara Rule
                                                                                                                                                                              Strings
                                                                                                                                                                              • min, xrefs: 004CCC6B
                                                                                                                                                                              • max, xrefs: 004CCCCE
                                                                                                                                                                              • too many terms in compound SELECT, xrefs: 004CB666
                                                                                                                                                                              • only a single result allowed for a SELECT that is part of an expression, xrefs: 004CB6AC
                                                                                                                                                                              Memory Dump Source
                                                                                                                                                                              • Source File: 00000000.00000002.2254819923.0000000000400000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                                              Joe Sandbox IDA Plugin
                                                                                                                                                                              • Snapshot File: hcaresult_0_2_400000_file.jbxd
                                                                                                                                                                              Yara matches
                                                                                                                                                                              Similarity
                                                                                                                                                                              • API ID:
                                                                                                                                                                              • String ID: max$min$only a single result allowed for a SELECT that is part of an expression$too many terms in compound SELECT
                                                                                                                                                                              • API String ID: 0-2877691265
                                                                                                                                                                              • Opcode ID: da226f26012b65685aa223540cd344d9d8acf49faf47b2076c4c2ecae620ebc1
                                                                                                                                                                              • Instruction ID: c1929985df6c20adc65602af42118a6c04867d104e31f5cdb5b9dcf57f3213a0
                                                                                                                                                                              • Opcode Fuzzy Hash: da226f26012b65685aa223540cd344d9d8acf49faf47b2076c4c2ecae620ebc1
                                                                                                                                                                              • Instruction Fuzzy Hash: 881356746047418FD724DF19C090F2ABBE1FF85308F15896EE98A8B352DB79E845CB86
                                                                                                                                                                              Uniqueness

                                                                                                                                                                              Uniqueness Score: -1.00%

                                                                                                                                                                              Function 004F636F Relevance: 5.7, APIs: 1, Strings: 2, Instructions: 408timeCOMMON
                                                                                                                                                                              Download Yara Rule
                                                                                                                                                                              APIs
                                                                                                                                                                              • GetTimeZoneInformation.KERNELBASE(00000000,00000000,00000000,00000000,00000000,00000000,?,?,?,004F67B4,00000000,00000000,00000000), ref: 004F6673
                                                                                                                                                                              Strings
                                                                                                                                                                              Memory Dump Source
                                                                                                                                                                              • Source File: 00000000.00000002.2254819923.0000000000400000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                                              Joe Sandbox IDA Plugin
                                                                                                                                                                              • Snapshot File: hcaresult_0_2_400000_file.jbxd
                                                                                                                                                                              Yara matches
                                                                                                                                                                              Similarity
                                                                                                                                                                              • API ID: InformationTimeZone
                                                                                                                                                                              • String ID: W. Europe Standard Time$W. Europe Summer Time
                                                                                                                                                                              • API String ID: 565725191-690618308
                                                                                                                                                                              • Opcode ID: 83fdf657cb7f9a7a8f95d9276a717656136ca0864d6a24c16211394cc139b29d
                                                                                                                                                                              • Instruction ID: 9cad27d5f2b54b569fbe64af901152f9cd98cd860f96ba3425b9b03ecf62c301
                                                                                                                                                                              • Opcode Fuzzy Hash: 83fdf657cb7f9a7a8f95d9276a717656136ca0864d6a24c16211394cc139b29d
                                                                                                                                                                              • Instruction Fuzzy Hash: 91C12672D00119ABDB14BB65DC02ABF7BB9EF04758F11406BFA01EB295E7389E01D798
                                                                                                                                                                              Uniqueness

                                                                                                                                                                              Uniqueness Score: -1.00%

                                                                                                                                                                              Function 0041F3EB Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 34encryptionCOMMON
                                                                                                                                                                              Download Yara Rule
                                                                                                                                                                              APIs
                                                                                                                                                                              • CryptUnprotectData.CRYPT32(00000000,00000000,00000000,00000000,00000000,00000000,000000FF), ref: 0041F3E5
                                                                                                                                                                              • LocalFree.KERNEL32(?), ref: 0041F414
                                                                                                                                                                              Strings
                                                                                                                                                                              Memory Dump Source
                                                                                                                                                                              • Source File: 00000000.00000002.2254819923.0000000000400000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                                              Joe Sandbox IDA Plugin
                                                                                                                                                                              • Snapshot File: hcaresult_0_2_400000_file.jbxd
                                                                                                                                                                              Yara matches
                                                                                                                                                                              Similarity
                                                                                                                                                                              • API ID: CryptDataFreeLocalUnprotect
                                                                                                                                                                              • String ID: jjjj
                                                                                                                                                                              • API String ID: 1561624719-48926182
                                                                                                                                                                              • Opcode ID: aa4404672b2df8b18a26a615dff9fcff1f65acf6459e9ad9dae77a66ff4ba265
                                                                                                                                                                              • Instruction ID: 409469ce869bb278a755ece448acb5b2db033f64c44fe4e4698fcece5c69adc3
                                                                                                                                                                              • Opcode Fuzzy Hash: aa4404672b2df8b18a26a615dff9fcff1f65acf6459e9ad9dae77a66ff4ba265
                                                                                                                                                                              • Instruction Fuzzy Hash: DDF0A7B2C4011896DF109BA49C01BEFB765FB54721F004037DC59A3340EB3948898ADA
                                                                                                                                                                              Uniqueness

                                                                                                                                                                              Uniqueness Score: -1.00%

                                                                                                                                                                              Function 004DB1CB Relevance: 4.5, APIs: 3, Instructions: 35COMMON
                                                                                                                                                                              Download Yara Rule
                                                                                                                                                                              APIs
                                                                                                                                                                              • FindClose.KERNEL32(000000FF,?,0046BEC7,?,00000000,?,00473681,?,00000000), ref: 004DB1D7
                                                                                                                                                                              • FindFirstFileExW.KERNELBASE(000000FF,00000001,?,00000000,00000000,00000000,?,?,?,0046BEC7,?,00000000,?,00473681,?,00000000), ref: 004DB206
                                                                                                                                                                              • GetLastError.KERNEL32(?,0046BEC7,?,00000000,?,00473681,?,00000000), ref: 004DB218
                                                                                                                                                                              Memory Dump Source
                                                                                                                                                                              • Source File: 00000000.00000002.2254819923.0000000000400000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                                              Joe Sandbox IDA Plugin
                                                                                                                                                                              • Snapshot File: hcaresult_0_2_400000_file.jbxd
                                                                                                                                                                              Yara matches
                                                                                                                                                                              Similarity
                                                                                                                                                                              • API ID: Find$CloseErrorFileFirstLast
                                                                                                                                                                              • String ID:
                                                                                                                                                                              • API String ID: 4020440971-0
                                                                                                                                                                              • Opcode ID: f1d414bdb1a830b9c19e1c1a91ab6db378ddacdc0024ae8e2650c4f043538abd
                                                                                                                                                                              • Instruction ID: 8aa795b071709f9ad919938827d4aff15d16b66e82d9f8c16838a8eaa28f277c
                                                                                                                                                                              • Opcode Fuzzy Hash: f1d414bdb1a830b9c19e1c1a91ab6db378ddacdc0024ae8e2650c4f043538abd
                                                                                                                                                                              • Instruction Fuzzy Hash: D9F05431000508FFDB111FA5DC189AF7B9CEF143B0B108627BD68C56A0D73199A296E4
                                                                                                                                                                              Uniqueness

                                                                                                                                                                              Uniqueness Score: -1.00%

                                                                                                                                                                              Function 00496450 Relevance: 2.0, APIs: 1, Instructions: 471COMMON
                                                                                                                                                                              Download Yara Rule
                                                                                                                                                                              Memory Dump Source
                                                                                                                                                                              • Source File: 00000000.00000002.2254819923.0000000000400000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                                              Joe Sandbox IDA Plugin
                                                                                                                                                                              • Snapshot File: hcaresult_0_2_400000_file.jbxd
                                                                                                                                                                              Yara matches
                                                                                                                                                                              Similarity
                                                                                                                                                                              • API ID:
                                                                                                                                                                              • String ID:
                                                                                                                                                                              • API String ID:
                                                                                                                                                                              • Opcode ID: f47df8a979cf4f857dc537b9ef44913b95696ce48800f52ac5a31c4eb421a18d
                                                                                                                                                                              • Instruction ID: e16f3952025df4b57fbfa53020dcabc30b9a59b88706b4710c7fb5b6fa6fa324
                                                                                                                                                                              • Opcode Fuzzy Hash: f47df8a979cf4f857dc537b9ef44913b95696ce48800f52ac5a31c4eb421a18d
                                                                                                                                                                              • Instruction Fuzzy Hash: D4028EB06047019FDB64CF29C840B27BBE0AF89314F15493EE48AC7751DB78E949CB5A
                                                                                                                                                                              Uniqueness

                                                                                                                                                                              Uniqueness Score: -1.00%

                                                                                                                                                                              Function 004E925D Relevance: 1.6, Strings: 1, Instructions: 318COMMON
                                                                                                                                                                              Download Yara Rule
                                                                                                                                                                              Strings
                                                                                                                                                                              Memory Dump Source
                                                                                                                                                                              • Source File: 00000000.00000002.2254819923.0000000000400000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                                              Joe Sandbox IDA Plugin
                                                                                                                                                                              • Snapshot File: hcaresult_0_2_400000_file.jbxd
                                                                                                                                                                              Yara matches
                                                                                                                                                                              Similarity
                                                                                                                                                                              • API ID:
                                                                                                                                                                              • String ID: 0
                                                                                                                                                                              • API String ID: 0-4108050209
                                                                                                                                                                              • Opcode ID: 79f90e00dc77957be7610ff531ea09f8d3cb8def4dcd7f8d4dea2ba9a82dffaa
                                                                                                                                                                              • Instruction ID: b0f2f4a4c71a32763588803a0d4209da0bfab023c608772363e77a77a94ad2d5
                                                                                                                                                                              • Opcode Fuzzy Hash: 79f90e00dc77957be7610ff531ea09f8d3cb8def4dcd7f8d4dea2ba9a82dffaa
                                                                                                                                                                              • Instruction Fuzzy Hash: 30B1E17190468A9BCB35CF6BC4956BFB7A1AF08306F140A1FD992973C1C739AD02CB59
                                                                                                                                                                              Uniqueness

                                                                                                                                                                              Uniqueness Score: -1.00%

                                                                                                                                                                              Function 0048C560 Relevance: .7, Instructions: 663COMMON
                                                                                                                                                                              Download Yara Rule
                                                                                                                                                                              Memory Dump Source
                                                                                                                                                                              • Source File: 00000000.00000002.2254819923.0000000000400000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                                              Joe Sandbox IDA Plugin
                                                                                                                                                                              • Snapshot File: hcaresult_0_2_400000_file.jbxd
                                                                                                                                                                              Yara matches
                                                                                                                                                                              Similarity
                                                                                                                                                                              • API ID:
                                                                                                                                                                              • String ID:
                                                                                                                                                                              • API String ID:
                                                                                                                                                                              • Opcode ID: aead1b18fa6655e2046488e2d56f3586447149cbf6bdb60b8fae25e10e23de9f
                                                                                                                                                                              • Instruction ID: d460b15ecaef89ee619ee12d19a6560aac0686608ff237d971a34b1c2572f41b
                                                                                                                                                                              • Opcode Fuzzy Hash: aead1b18fa6655e2046488e2d56f3586447149cbf6bdb60b8fae25e10e23de9f
                                                                                                                                                                              • Instruction Fuzzy Hash: 4342B070A006458FDB14EE78C8807AEFBA1FF45310F148A6ED4A5E7781D738E54ACBA5
                                                                                                                                                                              Uniqueness

                                                                                                                                                                              Uniqueness Score: -1.00%

                                                                                                                                                                              Function 0048D250 Relevance: .3, Instructions: 294COMMON
                                                                                                                                                                              Download Yara Rule
                                                                                                                                                                              Memory Dump Source
                                                                                                                                                                              • Source File: 00000000.00000002.2254819923.0000000000400000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                                              Joe Sandbox IDA Plugin
                                                                                                                                                                              • Snapshot File: hcaresult_0_2_400000_file.jbxd
                                                                                                                                                                              Yara matches
                                                                                                                                                                              Similarity
                                                                                                                                                                              • API ID:
                                                                                                                                                                              • String ID:
                                                                                                                                                                              • API String ID:
                                                                                                                                                                              • Opcode ID: 0702e79ebe35d7f2eab4924e86644c543a8bfec9af84c7524f60a6a2cffea22b
                                                                                                                                                                              • Instruction ID: 0f76039a442bb9952bef901009f789ffb67366a02fe10e258d8ab1312df69022
                                                                                                                                                                              • Opcode Fuzzy Hash: 0702e79ebe35d7f2eab4924e86644c543a8bfec9af84c7524f60a6a2cffea22b
                                                                                                                                                                              • Instruction Fuzzy Hash: C2B19F71A057019FC720EE69C840A5BB7E1EF88324F144F2EF8AAD3790D778E9458B56
                                                                                                                                                                              Uniqueness

                                                                                                                                                                              Uniqueness Score: -1.00%

                                                                                                                                                                              Function 00442BC0 Relevance: 219.9, APIs: 40, Strings: 84, Instructions: 2868fileCOMMON
                                                                                                                                                                              Download Yara Rule
                                                                                                                                                                              APIs
                                                                                                                                                                              • CreateDirectoryA.KERNELBASE(00000000,00000000,00000000), ref: 00442C53
                                                                                                                                                                              • CreateDirectoryA.KERNELBASE(00000000,00000000), ref: 00442CAF
                                                                                                                                                                              • CopyFileA.KERNEL32(00000000,00000000,00000000), ref: 004434EF
                                                                                                                                                                              • CopyFileA.KERNEL32(00000000,00000000,00000000), ref: 00443639
                                                                                                                                                                              • CopyFileA.KERNEL32(00000000,00000000,00000000), ref: 0044337F
                                                                                                                                                                                • Part of subcall function 0040E7B0: FindFirstFileA.KERNEL32(00000000,7F7A790F,?,7F7A790E,00445E27,00000000,7F7A790E,7F7A790F,74DF3100,?), ref: 0040E929
                                                                                                                                                                              • SHGetFolderPathA.SHELL32(00000000,0000001A,00000000,00000000,?), ref: 00442CE0
                                                                                                                                                                                • Part of subcall function 0040B1A0: GetFileAttributesA.KERNELBASE(00000000,?,?,0045E8D7,00000000,00000000,?,00000000), ref: 0040B1FC
                                                                                                                                                                                • Part of subcall function 0040B1A0: GetLastError.KERNEL32(?,0045E8D7,00000000,00000000,?,00000000), ref: 0040B207
                                                                                                                                                                              • CreateDirectoryA.KERNELBASE(00000000,00000000), ref: 00442E08
                                                                                                                                                                              • SHGetFolderPathA.SHELL32(00000000,0000001A,00000000,00000000,?), ref: 00442E37
                                                                                                                                                                              • CopyFileA.KERNEL32(00000000,00000000,00000000), ref: 00442F2F
                                                                                                                                                                              • CreateDirectoryA.KERNELBASE(00000000,00000000), ref: 00443029
                                                                                                                                                                              • CreateDirectoryA.KERNELBASE(00000000,00000000), ref: 00443087
                                                                                                                                                                              • CopyFileA.KERNEL32(00000000,00000000,00000000), ref: 004431B8
                                                                                                                                                                              • CreateDirectoryA.KERNELBASE(00000000,00000000), ref: 0044324A
                                                                                                                                                                              Strings
                                                                                                                                                                              Memory Dump Source
                                                                                                                                                                              • Source File: 00000000.00000002.2254819923.0000000000400000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                                              Joe Sandbox IDA Plugin
                                                                                                                                                                              • Snapshot File: hcaresult_0_2_400000_file.jbxd
                                                                                                                                                                              Yara matches
                                                                                                                                                                              Similarity
                                                                                                                                                                              • API ID: File$CreateDirectory$Copy$FolderPath$AttributesErrorFindFirstLast
                                                                                                                                                                              • String ID: 1,)$ghi$! 2;$!#7)$"83<$";=w$";=w$"?=+$#9;1$$'4<$%1$%26>$&+$&2$)u$0$)u$0$)u$0$)u(%$)u6.$*$+$.$.4.<$.4.<$.4.<$0(33$0(33$0+$0>?$0>?$0>?$0>?w$0>?w$11$1<:3$1>6$2$2$2$315$315$3$$34*8$3:$3>2)$3y<8$4(r)$4>($4>($61$6:$6:$759*$759*$759*$7:$7;x$7;x$7;x$864$864$9"6-$9"6-$9"6-$9"6-$9"6-$9:$9:$9:$;26-$</$?($?($?($?)$?)/$?0$_$k$t224$w Y_[]$|';-$|76$|::<
                                                                                                                                                                              • API String ID: 3765264142-139938508
                                                                                                                                                                              • Opcode ID: d0ef6f445f74236b45a801a89b02234199cc2a299b26c4be1559bc5011b2e69b
                                                                                                                                                                              • Instruction ID: 3de45bc02bde8f5d1410f05e926e2ccc20553a8a2b94b07571620541858a5efa
                                                                                                                                                                              • Opcode Fuzzy Hash: d0ef6f445f74236b45a801a89b02234199cc2a299b26c4be1559bc5011b2e69b
                                                                                                                                                                              • Instruction Fuzzy Hash: 4C538D70C04298DADB21EB65CD557DEBB74AF21308F4441EAD449772C2EBB81B88CF96
                                                                                                                                                                              Uniqueness

                                                                                                                                                                              Uniqueness Score: -1.00%

                                                                                                                                                                              Function 00474AC0 Relevance: 37.6, APIs: 16, Strings: 5, Instructions: 890COMMON
                                                                                                                                                                              Download Yara Rule

                                                                                                                                                                              Control-flow Graph

                                                                                                                                                                              • Executed
                                                                                                                                                                              • Not Executed
                                                                                                                                                                              control_flow_graph 17712 474ac0-474b24 17713 474b27-474b2e 17712->17713 17714 474b34 17713->17714 17715 475752-475831 call 46dec0 call 408130 call 46e550 call 4758e0 call 402af0 ___std_exception_destroy * 2 17713->17715 17716 474c94-474c9a 17714->17716 17717 474dd1-474ddc call 478c10 17714->17717 17718 474c80-474c8f call 479320 17714->17718 17719 474daf-474dcf call 479180 17714->17719 17720 474d9e-474dad call 479320 17714->17720 17721 474dde-474dfb call 478fe0 17714->17721 17722 474c3c-474c5d call 4e2a67 17714->17722 17723 474b3b-474b55 call 478a70 17714->17723 17724 474bda-474bf4 call 478a70 17714->17724 17819 475839-475840 call 4dcb23 17715->17819 17726 474cfc-474d02 17716->17726 17727 474c9c-474cf7 call 467210 call 466ee0 17716->17727 17749 474e00-474e08 17717->17749 17718->17749 17719->17749 17720->17749 17721->17749 17755 475137-4751a5 call 46e550 call 469f00 call 469dd0 call 408970 call 46e550 17722->17755 17756 474c63-474c7b call 478e20 17722->17756 17753 474b57-474b5d 17723->17753 17754 474b5f-474b67 call 472c00 17723->17754 17757 474bf6-474bfc 17724->17757 17758 474bfe-474c06 call 472c00 17724->17758 17739 474d04-474d10 17726->17739 17740 474d43-474d9c call 467210 call 466ee0 17726->17740 17727->17749 17751 474d35-474d3e call 47f0a0 17739->17751 17752 474d12-474d30 call 467210 17739->17752 17740->17749 17761 475662-475666 17749->17761 17762 474e0e-474e6d call 470650 * 2 17749->17762 17751->17749 17752->17749 17767 474b6c-474b7a call 46ede0 17753->17767 17754->17767 17848 475881-47589a call 4768c0 call 4de42b 17755->17848 17849 4751ab-47520c call 402af0 ___std_exception_destroy * 2 17755->17849 17756->17749 17772 474c0b-474c19 call 46ede0 17757->17772 17758->17772 17783 475855-475879 call 462340 17761->17783 17811 474e6f-474e7a call 46ede0 17762->17811 17812 474e9d-474ea8 call 46ede0 17762->17812 17796 474b85-474b88 17767->17796 17797 474b7c-474b80 17767->17797 17793 474c24-474c37 call 46f190 17772->17793 17794 474c1b-474c1f 17772->17794 17793->17713 17794->17749 17800 474b8e-474bb1 call 4673c0 call 46ede0 17796->17800 17801 475049-47512f call 46dec0 call 408130 call 46e550 call 4758e0 call 402af0 ___std_exception_destroy * 2 17796->17801 17797->17749 17837 474bb7-474bc5 call 46f190 17800->17837 17838 474f14-475003 call 402f50 call 46dec0 call 408130 call 46e550 call 4758e0 call 402af0 ___std_exception_destroy * 2 17800->17838 17801->17755 17828 474e80-474e83 17811->17828 17829 474bca-474bd5 call 46ede0 17811->17829 17830 474ec7-474ed5 call 46ede0 17812->17830 17831 474eaa-474ead 17812->17831 17851 475843-47584e 17819->17851 17841 4752aa-475389 call 46dec0 call 408130 call 46e550 call 4758e0 call 402af0 ___std_exception_destroy * 2 17828->17841 17842 474e89-474e98 call 4764b0 17828->17842 17829->17713 17856 475574-47565a call 46dec0 call 408130 call 46e550 call 4758e0 call 402af0 ___std_exception_destroy * 2 17830->17856 17857 474edb-474efe call 4673c0 call 46ede0 17830->17857 17832 474eb3-474ec2 call 4764b0 17831->17832 17833 475391-475475 call 46dec0 call 408130 call 46e550 call 4758e0 call 402af0 ___std_exception_destroy * 2 17831->17833 17832->17749 17931 475009-475018 call 402af0 17833->17931 17837->17829 17838->17931 17841->17833 17842->17749 17880 47520e-47521a 17849->17880 17881 47523a-475256 17849->17881 17851->17783 17856->17761 17908 474f04-474f07 call 46ede0 17857->17908 17909 47547a-47556c call 402f50 call 46dec0 call 408130 call 46e550 call 4758e0 call 402af0 ___std_exception_destroy * 2 17857->17909 17890 475230-475237 call 4dcb23 17880->17890 17891 47521c-47522a 17880->17891 17883 475284-4752a5 call 402af0 17881->17883 17884 475258-475264 17881->17884 17883->17783 17893 475266-475274 17884->17893 17894 47527a-475281 call 4dcb23 17884->17894 17890->17881 17891->17890 17901 47587c call 4e1ea0 17891->17901 17893->17894 17893->17901 17894->17883 17901->17848 17924 474f0c-474f0f 17908->17924 17909->17856 17924->17713 17931->17851 17942 47501e-47502a 17931->17942 17942->17819 17944 475030-47503e 17942->17944 17944->17901 17945 475044 17944->17945 17945->17819
                                                                                                                                                                              APIs
                                                                                                                                                                              • ___std_exception_destroy.LIBVCRUNTIME ref: 00474FE3
                                                                                                                                                                              • ___std_exception_destroy.LIBVCRUNTIME ref: 00474FF7
                                                                                                                                                                              • ___std_exception_destroy.LIBVCRUNTIME ref: 0047510F
                                                                                                                                                                              • ___std_exception_destroy.LIBVCRUNTIME ref: 00475123
                                                                                                                                                                              • ___std_exception_destroy.LIBVCRUNTIME ref: 004751E0
                                                                                                                                                                              • ___std_exception_destroy.LIBVCRUNTIME ref: 004751FA
                                                                                                                                                                              • ___std_exception_destroy.LIBVCRUNTIME ref: 00475369
                                                                                                                                                                              • ___std_exception_destroy.LIBVCRUNTIME ref: 0047537D
                                                                                                                                                                              • ___std_exception_destroy.LIBVCRUNTIME ref: 00475452
                                                                                                                                                                              • ___std_exception_destroy.LIBVCRUNTIME ref: 00475466
                                                                                                                                                                              • ___std_exception_destroy.LIBVCRUNTIME ref: 0047554C
                                                                                                                                                                              • ___std_exception_destroy.LIBVCRUNTIME ref: 00475560
                                                                                                                                                                              • ___std_exception_destroy.LIBVCRUNTIME ref: 00475811
                                                                                                                                                                              • ___std_exception_destroy.LIBVCRUNTIME ref: 00475825
                                                                                                                                                                              Strings
                                                                                                                                                                              Memory Dump Source
                                                                                                                                                                              • Source File: 00000000.00000002.2254819923.0000000000400000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                                              Joe Sandbox IDA Plugin
                                                                                                                                                                              • Snapshot File: hcaresult_0_2_400000_file.jbxd
                                                                                                                                                                              Yara matches
                                                                                                                                                                              Similarity
                                                                                                                                                                              • API ID: ___std_exception_destroy
                                                                                                                                                                              • String ID: O$array$number overflow parsing '$object$value
                                                                                                                                                                              • API String ID: 4194217158-306733086
                                                                                                                                                                              • Opcode ID: 61c38a80455432cc09a2b9c9bad55e33ddf206dade7b965c1c237f752aa70884
                                                                                                                                                                              • Instruction ID: 2b8bbb5fb6bef53096142a6844d47d0bb0a5a7ac0895a6da9de1fd59fd81eee6
                                                                                                                                                                              • Opcode Fuzzy Hash: 61c38a80455432cc09a2b9c9bad55e33ddf206dade7b965c1c237f752aa70884
                                                                                                                                                                              • Instruction Fuzzy Hash: 4192A170C00248DEDB10DFA4C944BEEBFB5BF55304F14859ED459BB282E7786A48CBA6
                                                                                                                                                                              Uniqueness

                                                                                                                                                                              Uniqueness Score: -1.00%

                                                                                                                                                                              Function 004103C0 Relevance: 14.7, APIs: 2, Strings: 6, Instructions: 746COMMON
                                                                                                                                                                              Download Yara Rule
                                                                                                                                                                              APIs
                                                                                                                                                                              • SHGetFolderPathA.SHELL32(00000000,0000001A,00000000,00000000,?,?,0000005C), ref: 00410419
                                                                                                                                                                              • SHGetFolderPathA.SHELL32(00000000,0000001C,00000000,00000000,?), ref: 00410440
                                                                                                                                                                              Strings
                                                                                                                                                                              Memory Dump Source
                                                                                                                                                                              • Source File: 00000000.00000002.2254819923.0000000000400000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                                              Joe Sandbox IDA Plugin
                                                                                                                                                                              • Snapshot File: hcaresult_0_2_400000_file.jbxd
                                                                                                                                                                              Yara matches
                                                                                                                                                                              Similarity
                                                                                                                                                                              • API ID: FolderPath
                                                                                                                                                                              • String ID: $39$12*y$9%!$9>6$\$z
                                                                                                                                                                              • API String ID: 1514166925-764209152
                                                                                                                                                                              • Opcode ID: 38d7cbbd41fdc934153250d5d17a244b39b369c64484e9a8fb66c168808b283b
                                                                                                                                                                              • Instruction ID: 59b6d6f339ba7e2f22b0134f03f68e765181b61f31e9b392b5e3c28a430878f0
                                                                                                                                                                              • Opcode Fuzzy Hash: 38d7cbbd41fdc934153250d5d17a244b39b369c64484e9a8fb66c168808b283b
                                                                                                                                                                              • Instruction Fuzzy Hash: E772DE70C0029D9ACF25DB64CD557EEB774AF15308F0442EAD04977292EBB82B89CF96
                                                                                                                                                                              Uniqueness

                                                                                                                                                                              Uniqueness Score: -1.00%

                                                                                                                                                                              Function 0040CAC0 Relevance: 14.2, APIs: 6, Strings: 2, Instructions: 171registryCOMMON
                                                                                                                                                                              Download Yara Rule
                                                                                                                                                                              APIs
                                                                                                                                                                              • RegGetValueA.KERNELBASE(80000002,?,34393C16,0001FFFF,00000001,?,00000104), ref: 0040CBD2
                                                                                                                                                                              • GetComputerNameExA.KERNELBASE(00000002,?,00000104), ref: 0040CC3C
                                                                                                                                                                              • LsaOpenPolicy.ADVAPI32(00000000,0054267C,00000001,00000000), ref: 0040CC95
                                                                                                                                                                              • LsaQueryInformationPolicy.ADVAPI32(00000000,0000000C,?), ref: 0040CCA8
                                                                                                                                                                              • LsaFreeMemory.ADVAPI32(?), ref: 0040CCD6
                                                                                                                                                                              • LsaClose.ADVAPI32(00000000), ref: 0040CCDF
                                                                                                                                                                              Strings
                                                                                                                                                                              Memory Dump Source
                                                                                                                                                                              • Source File: 00000000.00000002.2254819923.0000000000400000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                                              Joe Sandbox IDA Plugin
                                                                                                                                                                              • Snapshot File: hcaresult_0_2_400000_file.jbxd
                                                                                                                                                                              Yara matches
                                                                                                                                                                              Similarity
                                                                                                                                                                              • API ID: Policy$CloseComputerFreeInformationMemoryNameOpenQueryValue
                                                                                                                                                                              • String ID: %wZ$?9
                                                                                                                                                                              • API String ID: 762890658-830384695
                                                                                                                                                                              • Opcode ID: a14e4553e443ecd4be1b87ce77b34667ff650a3cf470428272776160caaff946
                                                                                                                                                                              • Instruction ID: 5c12321940df4fd8fb71f447f481a877f50f156e5d1b3200ddc0c7ffc2d86234
                                                                                                                                                                              • Opcode Fuzzy Hash: a14e4553e443ecd4be1b87ce77b34667ff650a3cf470428272776160caaff946
                                                                                                                                                                              • Instruction Fuzzy Hash: 3B612671804348DBEB11DFA4DC49BEEBBB8FF09708F00426EE545B6182E7B55689CB94
                                                                                                                                                                              Uniqueness

                                                                                                                                                                              Uniqueness Score: -1.00%

                                                                                                                                                                              Function 00439A80 Relevance: 14.1, APIs: 2, Strings: 6, Instructions: 119COMMON
                                                                                                                                                                              Download Yara Rule
                                                                                                                                                                              APIs
                                                                                                                                                                              • SHGetFolderPathA.SHELL32(00000000,0000001A,00000000,00000000,?), ref: 00439BA8
                                                                                                                                                                              • GetPrivateProfileSectionNamesA.KERNEL32(?,00001000,?), ref: 00439C52
                                                                                                                                                                              Strings
                                                                                                                                                                              Memory Dump Source
                                                                                                                                                                              • Source File: 00000000.00000002.2254819923.0000000000400000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                                              Joe Sandbox IDA Plugin
                                                                                                                                                                              • Snapshot File: hcaresult_0_2_400000_file.jbxd
                                                                                                                                                                              Yara matches
                                                                                                                                                                              Similarity
                                                                                                                                                                              • API ID: FolderNamesPathPrivateProfileSection
                                                                                                                                                                              • String ID: )u53$0>4<$1<;>$7$?2+$TbE
                                                                                                                                                                              • API String ID: 2478605195-2592757414
                                                                                                                                                                              • Opcode ID: 1606ea9120c7d04a6346da00d7890c6e7c48432ada12fe9634ef06a45c9dc041
                                                                                                                                                                              • Instruction ID: 7174201a8848e788bf8bea569bcfc7b55b4c84013191dce98e5d5293a2ecbe93
                                                                                                                                                                              • Opcode Fuzzy Hash: 1606ea9120c7d04a6346da00d7890c6e7c48432ada12fe9634ef06a45c9dc041
                                                                                                                                                                              • Instruction Fuzzy Hash: 18519E74905398EEDB11DFA4CC45BCDBBB4AF15304F1040DAE549AB282D7B86B88CF56
                                                                                                                                                                              Uniqueness

                                                                                                                                                                              Uniqueness Score: -1.00%

                                                                                                                                                                              Function 0041D840 Relevance: 13.0, APIs: 4, Strings: 3, Instructions: 713libraryloadernetworkCOMMON
                                                                                                                                                                              Download Yara Rule
                                                                                                                                                                              APIs
                                                                                                                                                                              • GetModuleHandleA.KERNEL32(Ws2_32.dll,?,?,?,?,?,00000000,00000000,00000000), ref: 0041DBB6
                                                                                                                                                                              • GetProcAddress.KERNEL32(00000000,06150005), ref: 0041DBC1
                                                                                                                                                                              • WSASend.WS2_32(?,?,00000001,00000000,00000000,00000000,00000000,?,?,?,?,?,00000000,00000000,00000000), ref: 0041DBD6
                                                                                                                                                                              • GetCurrentProcess.KERNEL32(00000000,?,?,?,00000000,00000000,00000000), ref: 0041DEDC
                                                                                                                                                                              Strings
                                                                                                                                                                              Memory Dump Source
                                                                                                                                                                              • Source File: 00000000.00000002.2254819923.0000000000400000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                                              Joe Sandbox IDA Plugin
                                                                                                                                                                              • Snapshot File: hcaresult_0_2_400000_file.jbxd
                                                                                                                                                                              Yara matches
                                                                                                                                                                              Similarity
                                                                                                                                                                              • API ID: AddressCurrentHandleModuleProcProcessSend
                                                                                                                                                                              • String ID: %1$39<$Ws2_32.dll
                                                                                                                                                                              • API String ID: 3060695839-1710563983
                                                                                                                                                                              • Opcode ID: 385b1676973be124b293a0b3897a1b7b4b46c9ac62b799964ae5bbbd6be22116
                                                                                                                                                                              • Instruction ID: bb544734cddad546c251b080f02150c0b6b95f0d694eae3eeb7ddbcd143b20fb
                                                                                                                                                                              • Opcode Fuzzy Hash: 385b1676973be124b293a0b3897a1b7b4b46c9ac62b799964ae5bbbd6be22116
                                                                                                                                                                              • Instruction Fuzzy Hash: EE6225B0D04288DEDF10DFA8C9557EEBFB0AF15308F24415ED4456B282E7B85A88DBD6
                                                                                                                                                                              Uniqueness

                                                                                                                                                                              Uniqueness Score: -1.00%

                                                                                                                                                                              Function 0040B1A0 Relevance: 12.3, APIs: 4, Strings: 3, Instructions: 75COMMON
                                                                                                                                                                              Download Yara Rule
                                                                                                                                                                              APIs
                                                                                                                                                                              • GetFileAttributesA.KERNELBASE(00000000,?,?,0045E8D7,00000000,00000000,?,00000000), ref: 0040B1FC
                                                                                                                                                                              • GetLastError.KERNEL32(?,0045E8D7,00000000,00000000,?,00000000), ref: 0040B207
                                                                                                                                                                              • std::_Throw_Cpp_error.LIBCPMT ref: 0040B24F
                                                                                                                                                                              • std::_Throw_Cpp_error.LIBCPMT ref: 0040B260
                                                                                                                                                                              Strings
                                                                                                                                                                              Memory Dump Source
                                                                                                                                                                              • Source File: 00000000.00000002.2254819923.0000000000400000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                                              Joe Sandbox IDA Plugin
                                                                                                                                                                              • Snapshot File: hcaresult_0_2_400000_file.jbxd
                                                                                                                                                                              Yara matches
                                                                                                                                                                              Similarity
                                                                                                                                                                              • API ID: Cpp_errorThrow_std::_$AttributesErrorFileLast
                                                                                                                                                                              • String ID: \*.*$DT$DT
                                                                                                                                                                              • API String ID: 995686243-3062393244
                                                                                                                                                                              • Opcode ID: 7c93be0e39bac07192ae234e4444476cb8469c1607e3cac452f8ce700f80683a
                                                                                                                                                                              • Instruction ID: 98fd9ba19aa43d818a037ed0b56ad2d2959cead2aa0cd36f25e414e829a489f2
                                                                                                                                                                              • Opcode Fuzzy Hash: 7c93be0e39bac07192ae234e4444476cb8469c1607e3cac452f8ce700f80683a
                                                                                                                                                                              • Instruction Fuzzy Hash: 65110371940600E7CB205BA8A809BBE3654E713728F2087BFD425B77D0D73989048ADE
                                                                                                                                                                              Uniqueness

                                                                                                                                                                              Uniqueness Score: -1.00%

                                                                                                                                                                              Function 0041D430 Relevance: 12.1, APIs: 8, Instructions: 92networkCOMMON
                                                                                                                                                                              Download Yara Rule
                                                                                                                                                                              APIs
                                                                                                                                                                              • WSAStartup.WS2_32 ref: 0041D45A
                                                                                                                                                                              • getaddrinfo.WS2_32(?,?,?,00544318), ref: 0041D4DC
                                                                                                                                                                              • socket.WS2_32(?,?,?), ref: 0041D4FD
                                                                                                                                                                              • connect.WS2_32(00000000,?,?), ref: 0041D511
                                                                                                                                                                              • closesocket.WS2_32(00000000), ref: 0041D51D
                                                                                                                                                                              • freeaddrinfo.WS2_32(?,?,?,?,00544318,?,?), ref: 0041D52A
                                                                                                                                                                              • WSACleanup.WS2_32 ref: 0041D530
                                                                                                                                                                              • freeaddrinfo.WS2_32(?,?,?,?,00544318,?,?), ref: 0041D545
                                                                                                                                                                              Memory Dump Source
                                                                                                                                                                              • Source File: 00000000.00000002.2254819923.0000000000400000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                                              Joe Sandbox IDA Plugin
                                                                                                                                                                              • Snapshot File: hcaresult_0_2_400000_file.jbxd
                                                                                                                                                                              Yara matches
                                                                                                                                                                              Similarity
                                                                                                                                                                              • API ID: freeaddrinfo$CleanupStartupclosesocketconnectgetaddrinfosocket
                                                                                                                                                                              • String ID:
                                                                                                                                                                              • API String ID: 58224237-0
                                                                                                                                                                              • Opcode ID: 1366ad5779fb1d9e896f6c3f08975c03dc1aab9f9250e2a0f463ba84f3e17d7b
                                                                                                                                                                              • Instruction ID: 3c9476e75c3fd4fec55e94a635383449f643eb380b6605d060e559485908137f
                                                                                                                                                                              • Opcode Fuzzy Hash: 1366ad5779fb1d9e896f6c3f08975c03dc1aab9f9250e2a0f463ba84f3e17d7b
                                                                                                                                                                              • Instruction Fuzzy Hash: A431C472904710ABC7209F25DC486ABB7E5BBD4368F104B1EF8B4932A0E374A8489656
                                                                                                                                                                              Uniqueness

                                                                                                                                                                              Uniqueness Score: -1.00%

                                                                                                                                                                              Function 00407490 Relevance: 11.1, APIs: 1, Strings: 5, Instructions: 571COMMON
                                                                                                                                                                              Download Yara Rule
                                                                                                                                                                              APIs
                                                                                                                                                                                • Part of subcall function 004778C0: ___std_fs_convert_narrow_to_wide@20.LIBCPMT ref: 00477949
                                                                                                                                                                                • Part of subcall function 004778C0: ___std_fs_convert_narrow_to_wide@20.LIBCPMT ref: 00477991
                                                                                                                                                                              • GetFileAttributesA.KERNELBASE(?), ref: 004077C1
                                                                                                                                                                              Strings
                                                                                                                                                                              Memory Dump Source
                                                                                                                                                                              • Source File: 00000000.00000002.2254819923.0000000000400000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                                              Joe Sandbox IDA Plugin
                                                                                                                                                                              • Snapshot File: hcaresult_0_2_400000_file.jbxd
                                                                                                                                                                              Yara matches
                                                                                                                                                                              Similarity
                                                                                                                                                                              • API ID: ___std_fs_convert_narrow_to_wide@20$AttributesFile
                                                                                                                                                                              • String ID: $.zip$/$\$recursive_directory_iterator::recursive_directory_iterator
                                                                                                                                                                              • API String ID: 2896367778-1520678085
                                                                                                                                                                              • Opcode ID: 2fad60e87e1e802c277f3282e679dfa3b8b58277df00ea7f9a444588ff8a1a58
                                                                                                                                                                              • Instruction ID: 83cbc35ccc226e9dfc96b22cc8f0aa30fdcd4d5be8d4862c17add94487e3c136
                                                                                                                                                                              • Opcode Fuzzy Hash: 2fad60e87e1e802c277f3282e679dfa3b8b58277df00ea7f9a444588ff8a1a58
                                                                                                                                                                              • Instruction Fuzzy Hash: 55429D70D05258DFDB10DFA8C9587DEBBB0BF15308F14819DE4097B282DB785A88CB96
                                                                                                                                                                              Uniqueness

                                                                                                                                                                              Uniqueness Score: -1.00%

                                                                                                                                                                              Function 0046CA20 Relevance: 11.0, APIs: 4, Strings: 2, Instructions: 523COMMON
                                                                                                                                                                              Download Yara Rule
                                                                                                                                                                              APIs
                                                                                                                                                                              • ___std_exception_destroy.LIBVCRUNTIME ref: 0046CCC0
                                                                                                                                                                              • ___std_exception_destroy.LIBVCRUNTIME ref: 0046CCDA
                                                                                                                                                                              • ___std_exception_destroy.LIBVCRUNTIME ref: 0046D09A
                                                                                                                                                                              • ___std_exception_destroy.LIBVCRUNTIME ref: 0046D0B4
                                                                                                                                                                              Strings
                                                                                                                                                                              Memory Dump Source
                                                                                                                                                                              • Source File: 00000000.00000002.2254819923.0000000000400000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                                              Joe Sandbox IDA Plugin
                                                                                                                                                                              • Snapshot File: hcaresult_0_2_400000_file.jbxd
                                                                                                                                                                              Yara matches
                                                                                                                                                                              Similarity
                                                                                                                                                                              • API ID: ___std_exception_destroy
                                                                                                                                                                              • String ID: .$value
                                                                                                                                                                              • API String ID: 4194217158-1166439862
                                                                                                                                                                              • Opcode ID: e4d2c8bf8eacc67e6997dd18ec727800c74d1e7f31625a4997ea1991802491bb
                                                                                                                                                                              • Instruction ID: 6bb52dc470a67732b65bfa6fba687dde157c2efc00668daf5dfdc611f465addf
                                                                                                                                                                              • Opcode Fuzzy Hash: e4d2c8bf8eacc67e6997dd18ec727800c74d1e7f31625a4997ea1991802491bb
                                                                                                                                                                              • Instruction Fuzzy Hash: 09328D70D01288DEDB14CFA9C9547EEBBB1AF15304F24819EE458AB382E7785B48DF52
                                                                                                                                                                              Uniqueness

                                                                                                                                                                              Uniqueness Score: -1.00%

                                                                                                                                                                              Function 004F1AC4 Relevance: 9.3, APIs: 6, Instructions: 292COMMONLIBRARYCODE
                                                                                                                                                                              Download Yara Rule
                                                                                                                                                                              Memory Dump Source
                                                                                                                                                                              • Source File: 00000000.00000002.2254819923.0000000000400000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                                              Joe Sandbox IDA Plugin
                                                                                                                                                                              • Snapshot File: hcaresult_0_2_400000_file.jbxd
                                                                                                                                                                              Yara matches
                                                                                                                                                                              Similarity
                                                                                                                                                                              • API ID:
                                                                                                                                                                              • String ID:
                                                                                                                                                                              • API String ID:
                                                                                                                                                                              • Opcode ID: d2ea7220ccbc7587e5769382b7ad68f423b836976d9c7076096d278bdda67aec
                                                                                                                                                                              • Instruction ID: e1f0bbcd43b77d7626f4e77856158d48870e96d21c9a9c54683f95f8a13591de
                                                                                                                                                                              • Opcode Fuzzy Hash: d2ea7220ccbc7587e5769382b7ad68f423b836976d9c7076096d278bdda67aec
                                                                                                                                                                              • Instruction Fuzzy Hash: D5B15974E0424CEFDB11DF99D880BBE7BB1AF56304F14415AE6049B3A2C778AD42CB69
                                                                                                                                                                              Uniqueness

                                                                                                                                                                              Uniqueness Score: -1.00%

                                                                                                                                                                              Function 0041D560 Relevance: 9.0, APIs: 3, Strings: 2, Instructions: 244libraryloadernetworkCOMMON
                                                                                                                                                                              Download Yara Rule
                                                                                                                                                                              APIs
                                                                                                                                                                              • GetModuleHandleA.KERNEL32(Ws2_32.dll,?,?,?,?,?,?,?,?,?,?,00000000), ref: 0041D79A
                                                                                                                                                                              • GetProcAddress.KERNEL32(00000000,06150005), ref: 0041D7A5
                                                                                                                                                                              • WSASend.WS2_32(0000000F,00000000,00000001,00000000,00000000,00000000,00000000), ref: 0041D7BA
                                                                                                                                                                              Strings
                                                                                                                                                                              Memory Dump Source
                                                                                                                                                                              • Source File: 00000000.00000002.2254819923.0000000000400000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                                              Joe Sandbox IDA Plugin
                                                                                                                                                                              • Snapshot File: hcaresult_0_2_400000_file.jbxd
                                                                                                                                                                              Yara matches
                                                                                                                                                                              Similarity
                                                                                                                                                                              • API ID: AddressHandleModuleProcSend
                                                                                                                                                                              • String ID: 39<$Ws2_32.dll
                                                                                                                                                                              • API String ID: 2819740048-4200987404
                                                                                                                                                                              • Opcode ID: c69c04ee7ae2295ddacff926e2ae81a183a2070aca705dce49a36a733aacb347
                                                                                                                                                                              • Instruction ID: 51d12b58568d2725e11e2f3ede4e953a1ffade967b8a63a07fe4bd30ab4072ec
                                                                                                                                                                              • Opcode Fuzzy Hash: c69c04ee7ae2295ddacff926e2ae81a183a2070aca705dce49a36a733aacb347
                                                                                                                                                                              • Instruction Fuzzy Hash: C7A179B0E00214DFCB24DF58C9447AEBBF0AF18714F18855EE869AB381D779AD81CB95
                                                                                                                                                                              Uniqueness

                                                                                                                                                                              Uniqueness Score: -1.00%

                                                                                                                                                                              Function 00414233 Relevance: 7.2, APIs: 3, Strings: 1, Instructions: 192fileCOMMON
                                                                                                                                                                              Download Yara Rule
                                                                                                                                                                              APIs
                                                                                                                                                                              • CopyFileA.KERNEL32(?,?,00000000), ref: 00414337
                                                                                                                                                                              • std::_Throw_Cpp_error.LIBCPMT ref: 00414482
                                                                                                                                                                              • std::_Throw_Cpp_error.LIBCPMT ref: 00414493
                                                                                                                                                                              Strings
                                                                                                                                                                              Memory Dump Source
                                                                                                                                                                              • Source File: 00000000.00000002.2254819923.0000000000400000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                                              Joe Sandbox IDA Plugin
                                                                                                                                                                              • Snapshot File: hcaresult_0_2_400000_file.jbxd
                                                                                                                                                                              Yara matches
                                                                                                                                                                              Similarity
                                                                                                                                                                              • API ID: Cpp_errorThrow_std::_$CopyFile
                                                                                                                                                                              • String ID: \
                                                                                                                                                                              • API String ID: 4177132511-2967466578
                                                                                                                                                                              • Opcode ID: d2dbee1534c5c85b3556dab985fa2ee1985f678c8ffbde03522007a8a5baf56b
                                                                                                                                                                              • Instruction ID: ec448d641316e2a3872437f4d92d0186c9a642a8506e38dff8007fdda78d9240
                                                                                                                                                                              • Opcode Fuzzy Hash: d2dbee1534c5c85b3556dab985fa2ee1985f678c8ffbde03522007a8a5baf56b
                                                                                                                                                                              • Instruction Fuzzy Hash: 8681FC70D00288DFDF04DBE4D945BEDBBB4EF15308F20429EE41067292EBB81A48DB96
                                                                                                                                                                              Uniqueness

                                                                                                                                                                              Uniqueness Score: -1.00%

                                                                                                                                                                              Function 00491300 Relevance: 6.1, APIs: 4, Instructions: 66fileCOMMON
                                                                                                                                                                              Download Yara Rule
                                                                                                                                                                              APIs
                                                                                                                                                                              • SetFilePointer.KERNELBASE(?,?,?,00000000), ref: 0049131F
                                                                                                                                                                              • GetLastError.KERNEL32 ref: 0049132A
                                                                                                                                                                              • ReadFile.KERNELBASE(?,?,?,?,00000000), ref: 00491352
                                                                                                                                                                              • GetLastError.KERNEL32 ref: 0049135C
                                                                                                                                                                              Memory Dump Source
                                                                                                                                                                              • Source File: 00000000.00000002.2254819923.0000000000400000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                                              Joe Sandbox IDA Plugin
                                                                                                                                                                              • Snapshot File: hcaresult_0_2_400000_file.jbxd
                                                                                                                                                                              Yara matches
                                                                                                                                                                              Similarity
                                                                                                                                                                              • API ID: ErrorFileLast$PointerRead
                                                                                                                                                                              • String ID:
                                                                                                                                                                              • API String ID: 2170121939-0
                                                                                                                                                                              • Opcode ID: fc66bafa82d2f8404cdf7c252faac411a51537015cb655470ecd5fc5aba69e13
                                                                                                                                                                              • Instruction ID: 0b9ab4fa7100161e3312e7656db52f40096a583a722d5ee13f2c0e10fa81db1a
                                                                                                                                                                              • Opcode Fuzzy Hash: fc66bafa82d2f8404cdf7c252faac411a51537015cb655470ecd5fc5aba69e13
                                                                                                                                                                              • Instruction Fuzzy Hash: EA114632600509EBDB108FA9EC05BDABBA8EF55371F008267FD1CC6660E775D9609BD0
                                                                                                                                                                              Uniqueness

                                                                                                                                                                              Uniqueness Score: -1.00%

                                                                                                                                                                              Function 004F293D Relevance: 5.4, APIs: 2, Strings: 1, Instructions: 196fileCOMMON
                                                                                                                                                                              Download Yara Rule
                                                                                                                                                                              APIs
                                                                                                                                                                                • Part of subcall function 004F2053: GetConsoleOutputCP.KERNEL32(C835321C,00000000,00000000,?), ref: 004F20B6
                                                                                                                                                                              • WriteFile.KERNELBASE(?,00000000,004E6777,?,00000000,00000000,00000000,?,00000000,?,00000000,wgN,00000000,00000000,?,?), ref: 004F2AC2
                                                                                                                                                                              • GetLastError.KERNEL32(?,004E6777,00000000,?,00000000,?,00000000,00000000), ref: 004F2ACC
                                                                                                                                                                              Strings
                                                                                                                                                                              Memory Dump Source
                                                                                                                                                                              • Source File: 00000000.00000002.2254819923.0000000000400000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                                              Joe Sandbox IDA Plugin
                                                                                                                                                                              • Snapshot File: hcaresult_0_2_400000_file.jbxd
                                                                                                                                                                              Yara matches
                                                                                                                                                                              Similarity
                                                                                                                                                                              • API ID: ConsoleErrorFileLastOutputWrite
                                                                                                                                                                              • String ID: wgN
                                                                                                                                                                              • API String ID: 2915228174-354891312
                                                                                                                                                                              • Opcode ID: c4e0fab56aaa5aa668606d57f16693d2fff82ef8988b3cb834d35c0f5d62a876
                                                                                                                                                                              • Instruction ID: 58ddb85c8bea4c2b3dbe3e5c994e5fd3db19d053895fb78a9c91e10694f9601d
                                                                                                                                                                              • Opcode Fuzzy Hash: c4e0fab56aaa5aa668606d57f16693d2fff82ef8988b3cb834d35c0f5d62a876
                                                                                                                                                                              • Instruction Fuzzy Hash: BB61A271D0011EAFDF11CFA8CA84EFEBBB9AF19304F14014AEA00A7255D3B9D906CB55
                                                                                                                                                                              Uniqueness

                                                                                                                                                                              Uniqueness Score: -1.00%

                                                                                                                                                                              Function 004F6601 Relevance: 5.4, APIs: 1, Strings: 2, Instructions: 156timeCOMMON
                                                                                                                                                                              Download Yara Rule
                                                                                                                                                                              APIs
                                                                                                                                                                                • Part of subcall function 004F4253: RtlFreeHeap.NTDLL(00000000,00000000,?,004FAD87,004E60B3,00000000,004E60B3,?,004FB028,004E60B3,00000007,004E60B3,?,004FB51C,004E60B3,004E60B3), ref: 004F4269
                                                                                                                                                                                • Part of subcall function 004F4253: GetLastError.KERNEL32(004E60B3,?,004FAD87,004E60B3,00000000,004E60B3,?,004FB028,004E60B3,00000007,004E60B3,?,004FB51C,004E60B3,004E60B3), ref: 004F4274
                                                                                                                                                                              • GetTimeZoneInformation.KERNELBASE(00000000,00000000,00000000,00000000,00000000,00000000,?,?,?,004F67B4,00000000,00000000,00000000), ref: 004F6673
                                                                                                                                                                              Strings
                                                                                                                                                                              Memory Dump Source
                                                                                                                                                                              • Source File: 00000000.00000002.2254819923.0000000000400000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                                              Joe Sandbox IDA Plugin
                                                                                                                                                                              • Snapshot File: hcaresult_0_2_400000_file.jbxd
                                                                                                                                                                              Yara matches
                                                                                                                                                                              Similarity
                                                                                                                                                                              • API ID: ErrorFreeHeapInformationLastTimeZone
                                                                                                                                                                              • String ID: W. Europe Standard Time$W. Europe Summer Time
                                                                                                                                                                              • API String ID: 3335090040-690618308
                                                                                                                                                                              • Opcode ID: 76eabf8b9fefbc0f82c39e30ff9c0a32debad6d34d411fa20371c7aef0a9fd2d
                                                                                                                                                                              • Instruction ID: 93f141717271661ea9db8106dfbabb38566b4f45f23fbb06abea1e9cd715a989
                                                                                                                                                                              • Opcode Fuzzy Hash: 76eabf8b9fefbc0f82c39e30ff9c0a32debad6d34d411fa20371c7aef0a9fd2d
                                                                                                                                                                              • Instruction Fuzzy Hash: 1E41FB71D00219BBCB14BF66DC459AE7BB8EF05368B11415BF610D72A1DB389E04DB98
                                                                                                                                                                              Uniqueness

                                                                                                                                                                              Uniqueness Score: -1.00%

                                                                                                                                                                              Function 004060E0 Relevance: 5.4, APIs: 2, Strings: 1, Instructions: 116COMMON
                                                                                                                                                                              Download Yara Rule
                                                                                                                                                                              APIs
                                                                                                                                                                                • Part of subcall function 004DE42B: RaiseException.KERNEL32(E06D7363,00000001,00000003,0045DCD0,0045DCD0,?,?,004DAF37,0045DCD0,0053D744,00000000,0045DCD0,00000000,00000001), ref: 004DE48B
                                                                                                                                                                              • ___std_fs_directory_iterator_open@12.LIBCPMT ref: 004061E8
                                                                                                                                                                              • ___std_fs_directory_iterator_advance@8.LIBCPMT ref: 00406202
                                                                                                                                                                              Strings
                                                                                                                                                                              Memory Dump Source
                                                                                                                                                                              • Source File: 00000000.00000002.2254819923.0000000000400000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                                              Joe Sandbox IDA Plugin
                                                                                                                                                                              • Snapshot File: hcaresult_0_2_400000_file.jbxd
                                                                                                                                                                              Yara matches
                                                                                                                                                                              Similarity
                                                                                                                                                                              • API ID: ExceptionRaise___std_fs_directory_iterator_advance@8___std_fs_directory_iterator_open@12
                                                                                                                                                                              • String ID: absolute
                                                                                                                                                                              • API String ID: 1297148070-2799662678
                                                                                                                                                                              • Opcode ID: 83d60d2f71de9d8f69fa5d81af5cafba3f0471d6c422f5ef9654ebbd380b6de7
                                                                                                                                                                              • Instruction ID: df52e70302dbc25e70dbc729ec55d43ed626788b5323ae355475d9aa96fec0df
                                                                                                                                                                              • Opcode Fuzzy Hash: 83d60d2f71de9d8f69fa5d81af5cafba3f0471d6c422f5ef9654ebbd380b6de7
                                                                                                                                                                              • Instruction Fuzzy Hash: 9831D071900618ABCB20EF55C945AAFBBB8FF44764F00066AE815773C1DB38AA04CBE5
                                                                                                                                                                              Uniqueness

                                                                                                                                                                              Uniqueness Score: -1.00%

                                                                                                                                                                              Function 0040AB40 Relevance: 5.3, APIs: 1, Strings: 2, Instructions: 95COMMON
                                                                                                                                                                              Download Yara Rule
                                                                                                                                                                              APIs
                                                                                                                                                                              Strings
                                                                                                                                                                              Memory Dump Source
                                                                                                                                                                              • Source File: 00000000.00000002.2254819923.0000000000400000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                                              Joe Sandbox IDA Plugin
                                                                                                                                                                              • Snapshot File: hcaresult_0_2_400000_file.jbxd
                                                                                                                                                                              Yara matches
                                                                                                                                                                              Similarity
                                                                                                                                                                              • API ID: __fread_nolock
                                                                                                                                                                              • String ID: 1$qZC
                                                                                                                                                                              • API String ID: 2638373210-4291668569
                                                                                                                                                                              • Opcode ID: e6e22c07389a48e61ae8e95e7b83de7e9b3121829484d644dc2acc3f52427005
                                                                                                                                                                              • Instruction ID: d341f4343d4f5fdecf0593ce2782d3c7c06861483f708230bb127ce9c5082770
                                                                                                                                                                              • Opcode Fuzzy Hash: e6e22c07389a48e61ae8e95e7b83de7e9b3121829484d644dc2acc3f52427005
                                                                                                                                                                              • Instruction Fuzzy Hash: 0B31C1709043459BDB20EF69C905BAFBBF4EF44704F10066EE5416B282D7B99A48CBD6
                                                                                                                                                                              Uniqueness

                                                                                                                                                                              Uniqueness Score: -1.00%

                                                                                                                                                                              Function 0040B270 Relevance: 4.5, APIs: 3, Instructions: 45COMMON
                                                                                                                                                                              Download Yara Rule
                                                                                                                                                                              APIs
                                                                                                                                                                              • CreateDirectoryA.KERNELBASE(?,00000000,00000005,?,?,0045E8D7,00000000,00000000,?,00000000), ref: 0040B2B5
                                                                                                                                                                                • Part of subcall function 004DBDDA: ReleaseSRWLockExclusive.KERNEL32(?,DT,0040B6FD,005444E8,?,?,\*.*,00000004), ref: 004DBDEE
                                                                                                                                                                              • std::_Throw_Cpp_error.LIBCPMT ref: 0040B2E4
                                                                                                                                                                              • std::_Throw_Cpp_error.LIBCPMT ref: 0040B2F5
                                                                                                                                                                              Memory Dump Source
                                                                                                                                                                              • Source File: 00000000.00000002.2254819923.0000000000400000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                                              Joe Sandbox IDA Plugin
                                                                                                                                                                              • Snapshot File: hcaresult_0_2_400000_file.jbxd
                                                                                                                                                                              Yara matches
                                                                                                                                                                              Similarity
                                                                                                                                                                              • API ID: Cpp_errorThrow_std::_$CreateDirectoryExclusiveLockRelease
                                                                                                                                                                              • String ID:
                                                                                                                                                                              • API String ID: 1881651058-0
                                                                                                                                                                              • Opcode ID: 4aa31760ff55f9e8091e016fbf5db6d1ac4fd96c015ccc68c759aad941cf529b
                                                                                                                                                                              • Instruction ID: 2083917a30228ff47c2f58c55b42abb2321d0377fce0ac6287103c5d37e315ef
                                                                                                                                                                              • Opcode Fuzzy Hash: 4aa31760ff55f9e8091e016fbf5db6d1ac4fd96c015ccc68c759aad941cf529b
                                                                                                                                                                              • Instruction Fuzzy Hash: E0F086B5980704EBDB209B5A9D06B9A7A98E702B38F11436FF435533D0E7755A00CAEA
                                                                                                                                                                              Uniqueness

                                                                                                                                                                              Uniqueness Score: -1.00%

                                                                                                                                                                              Function 004EC819 Relevance: 4.5, APIs: 3, Instructions: 15COMMONLIBRARYCODE
                                                                                                                                                                              Download Yara Rule
                                                                                                                                                                              APIs
                                                                                                                                                                              • GetCurrentProcess.KERNEL32(?,?,004EC813,?,004E1C93,?,?,C835321C,004E1C93,?), ref: 004EC82A
                                                                                                                                                                              • TerminateProcess.KERNEL32(00000000,?,004EC813,?,004E1C93,?,?,C835321C,004E1C93,?), ref: 004EC831
                                                                                                                                                                              • ExitProcess.KERNEL32 ref: 004EC843
                                                                                                                                                                              Memory Dump Source
                                                                                                                                                                              • Source File: 00000000.00000002.2254819923.0000000000400000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                                              Joe Sandbox IDA Plugin
                                                                                                                                                                              • Snapshot File: hcaresult_0_2_400000_file.jbxd
                                                                                                                                                                              Yara matches
                                                                                                                                                                              Similarity
                                                                                                                                                                              • API ID: Process$CurrentExitTerminate
                                                                                                                                                                              • String ID:
                                                                                                                                                                              • API String ID: 1703294689-0
                                                                                                                                                                              • Opcode ID: 570eabad1b53be2d073ee1c841cabbe5f8cdf0a80e41f99a4d5a77ab8836c315
                                                                                                                                                                              • Instruction ID: 441ef718a996dc58b5bae7a476c47dbc26188b301f5d8cdfa8241a9a43c48a8d
                                                                                                                                                                              • Opcode Fuzzy Hash: 570eabad1b53be2d073ee1c841cabbe5f8cdf0a80e41f99a4d5a77ab8836c315
                                                                                                                                                                              • Instruction Fuzzy Hash: AED05E32000544FBCF013F62DE4D8993F29BFA0347B448025B86549131DB79895AEA84
                                                                                                                                                                              Uniqueness

                                                                                                                                                                              Uniqueness Score: -1.00%

                                                                                                                                                                              Function 004786F0 Relevance: 3.6, APIs: 1, Strings: 1, Instructions: 147COMMON
                                                                                                                                                                              Download Yara Rule
                                                                                                                                                                              APIs
                                                                                                                                                                              • Concurrency::cancel_current_task.LIBCPMT ref: 0047887E
                                                                                                                                                                              Strings
                                                                                                                                                                              Memory Dump Source
                                                                                                                                                                              • Source File: 00000000.00000002.2254819923.0000000000400000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                                              Joe Sandbox IDA Plugin
                                                                                                                                                                              • Snapshot File: hcaresult_0_2_400000_file.jbxd
                                                                                                                                                                              Yara matches
                                                                                                                                                                              Similarity
                                                                                                                                                                              • API ID: Concurrency::cancel_current_task
                                                                                                                                                                              • String ID: WF
                                                                                                                                                                              • API String ID: 118556049-3269146837
                                                                                                                                                                              • Opcode ID: 0d3fff30ff6584a27bed6aa9a994ba9ba84eddafc1fa4227622810e2c2b696b2
                                                                                                                                                                              • Instruction ID: 3ab1529a9723302c1f437a0db943357650608c6a53bfd2449bd8fed2b14d66f4
                                                                                                                                                                              • Opcode Fuzzy Hash: 0d3fff30ff6584a27bed6aa9a994ba9ba84eddafc1fa4227622810e2c2b696b2
                                                                                                                                                                              • Instruction Fuzzy Hash: 0D41D571A001158FCB18DF6DC9859AEBBB9EB84350B24822FE819DB385DB74DD01CB95
                                                                                                                                                                              Uniqueness

                                                                                                                                                                              Uniqueness Score: -1.00%

                                                                                                                                                                              Function 0043E990 Relevance: 3.6, APIs: 1, Strings: 1, Instructions: 143COMMON
                                                                                                                                                                              Download Yara Rule
                                                                                                                                                                              APIs
                                                                                                                                                                              • SHGetFolderPathA.SHELL32(00000000,0000001A,00000000,00000000,?), ref: 0043E9E1
                                                                                                                                                                              Strings
                                                                                                                                                                              Memory Dump Source
                                                                                                                                                                              • Source File: 00000000.00000002.2254819923.0000000000400000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                                              Joe Sandbox IDA Plugin
                                                                                                                                                                              • Snapshot File: hcaresult_0_2_400000_file.jbxd
                                                                                                                                                                              Yara matches
                                                                                                                                                                              Similarity
                                                                                                                                                                              • API ID: FolderPath
                                                                                                                                                                              • String ID: "6
                                                                                                                                                                              • API String ID: 1514166925-701612358
                                                                                                                                                                              • Opcode ID: b949de36dffe6a65c5d71fce7b12989b39bf068e0a56ac47bc333a1a6a49265b
                                                                                                                                                                              • Instruction ID: 7f6c3857031e9ecd41295e242b3f508b67c493e0e27127d8f4aabd3770d547c9
                                                                                                                                                                              • Opcode Fuzzy Hash: b949de36dffe6a65c5d71fce7b12989b39bf068e0a56ac47bc333a1a6a49265b
                                                                                                                                                                              • Instruction Fuzzy Hash: 09512970C04298CAEB15DF64C948BEDB770BF16304F1082DDD4896B2C2DBB51A89CF65
                                                                                                                                                                              Uniqueness

                                                                                                                                                                              Uniqueness Score: -1.00%

                                                                                                                                                                              Function 00463650 Relevance: 3.2, APIs: 2, Instructions: 185COMMON
                                                                                                                                                                              Download Yara Rule
                                                                                                                                                                              APIs
                                                                                                                                                                              Memory Dump Source
                                                                                                                                                                              • Source File: 00000000.00000002.2254819923.0000000000400000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                                              Joe Sandbox IDA Plugin
                                                                                                                                                                              • Snapshot File: hcaresult_0_2_400000_file.jbxd
                                                                                                                                                                              Yara matches
                                                                                                                                                                              Similarity
                                                                                                                                                                              • API ID: __fread_nolock
                                                                                                                                                                              • String ID:
                                                                                                                                                                              • API String ID: 2638373210-0
                                                                                                                                                                              • Opcode ID: ec22e4f50313ced31549da422d7a857b29f27fbc93b2f98bdcf651741bea44c0
                                                                                                                                                                              • Instruction ID: 79d947a9d222d8f0fc42436fae4463b375b8f25b2523b1e7cbdb0ad83c72afb4
                                                                                                                                                                              • Opcode Fuzzy Hash: ec22e4f50313ced31549da422d7a857b29f27fbc93b2f98bdcf651741bea44c0
                                                                                                                                                                              • Instruction Fuzzy Hash: FE618A766042459FCB14CF2DD88096AB7E1EF84325F0486AAFC18CB355EB35DD18CB9A
                                                                                                                                                                              Uniqueness

                                                                                                                                                                              Uniqueness Score: -1.00%

                                                                                                                                                                              Function 004144E0 Relevance: 3.1, APIs: 2, Instructions: 128COMMON
                                                                                                                                                                              Download Yara Rule
                                                                                                                                                                              APIs
                                                                                                                                                                              • std::_Throw_Cpp_error.LIBCPMT ref: 00414675
                                                                                                                                                                              • std::_Throw_Cpp_error.LIBCPMT ref: 00414686
                                                                                                                                                                              Memory Dump Source
                                                                                                                                                                              • Source File: 00000000.00000002.2254819923.0000000000400000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                                              Joe Sandbox IDA Plugin
                                                                                                                                                                              • Snapshot File: hcaresult_0_2_400000_file.jbxd
                                                                                                                                                                              Yara matches
                                                                                                                                                                              Similarity
                                                                                                                                                                              • API ID: Cpp_errorThrow_std::_
                                                                                                                                                                              • String ID:
                                                                                                                                                                              • API String ID: 2134207285-0
                                                                                                                                                                              • Opcode ID: ac862eee7d6d7ce6c3a12efbee1ba40941964af439277532c0956238cae26ce1
                                                                                                                                                                              • Instruction ID: d0c1233a766ed38641b4c07237d350fd222a008ab52e14fa55b74dcab28789ba
                                                                                                                                                                              • Opcode Fuzzy Hash: ac862eee7d6d7ce6c3a12efbee1ba40941964af439277532c0956238cae26ce1
                                                                                                                                                                              • Instruction Fuzzy Hash: BB411375E00205CBCB24DF6CD8017AEB7B2FB91708F05062EE815A7392DB78A984DBD4
                                                                                                                                                                              Uniqueness

                                                                                                                                                                              Uniqueness Score: -1.00%

                                                                                                                                                                              Function 00406150 Relevance: 3.1, APIs: 2, Instructions: 100COMMON
                                                                                                                                                                              Download Yara Rule
                                                                                                                                                                              APIs
                                                                                                                                                                              • ___std_fs_directory_iterator_open@12.LIBCPMT ref: 004061E8
                                                                                                                                                                              • ___std_fs_directory_iterator_advance@8.LIBCPMT ref: 00406202
                                                                                                                                                                              Memory Dump Source
                                                                                                                                                                              • Source File: 00000000.00000002.2254819923.0000000000400000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                                              Joe Sandbox IDA Plugin
                                                                                                                                                                              • Snapshot File: hcaresult_0_2_400000_file.jbxd
                                                                                                                                                                              Yara matches
                                                                                                                                                                              Similarity
                                                                                                                                                                              • API ID: ___std_fs_directory_iterator_advance@8___std_fs_directory_iterator_open@12
                                                                                                                                                                              • String ID:
                                                                                                                                                                              • API String ID: 3016148460-0
                                                                                                                                                                              • Opcode ID: 199b10b5cbcfc3bac638bdf402b44041a05770ed40428cdac618f3dde5b17595
                                                                                                                                                                              • Instruction ID: d4caf346f189b166542986bb95bd81797666f76ba9d979eef76578570dd901e2
                                                                                                                                                                              • Opcode Fuzzy Hash: 199b10b5cbcfc3bac638bdf402b44041a05770ed40428cdac618f3dde5b17595
                                                                                                                                                                              • Instruction Fuzzy Hash: 1D31D072A00618ABCB24EF49D851BAEB7B4EF84764F01066FEC1663780DB396D14CAD4
                                                                                                                                                                              Uniqueness

                                                                                                                                                                              Uniqueness Score: -1.00%

                                                                                                                                                                              Function 004EB74C Relevance: 3.1, APIs: 2, Instructions: 52COMMON
                                                                                                                                                                              Download Yara Rule
                                                                                                                                                                              APIs
                                                                                                                                                                              • SetFilePointerEx.KERNELBASE(00000000,00000000,0053DB98,00000000,00000002,00000000,00000000,?,?,?,004EB856,00000000,?,00000000,00000002,0053DB98), ref: 004EB788
                                                                                                                                                                              • GetLastError.KERNEL32(00000000,?,?,?,004EB856,00000000,?,00000000,00000002,0053DB98,00000000,00000000,00000000,0053DB98,0000000C,004E684E), ref: 004EB795
                                                                                                                                                                              Memory Dump Source
                                                                                                                                                                              • Source File: 00000000.00000002.2254819923.0000000000400000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                                              Joe Sandbox IDA Plugin
                                                                                                                                                                              • Snapshot File: hcaresult_0_2_400000_file.jbxd
                                                                                                                                                                              Yara matches
                                                                                                                                                                              Similarity
                                                                                                                                                                              • API ID: ErrorFileLastPointer
                                                                                                                                                                              • String ID:
                                                                                                                                                                              • API String ID: 2976181284-0
                                                                                                                                                                              • Opcode ID: 67635d8b729ae6903c65b0b30b5db55b4f67fedfa01514e4e7d532381152a944
                                                                                                                                                                              • Instruction ID: 384096725cce8be96e4ab00bbb6ce162e331f1cfeb537b4fcb45676fe5c1bc8b
                                                                                                                                                                              • Opcode Fuzzy Hash: 67635d8b729ae6903c65b0b30b5db55b4f67fedfa01514e4e7d532381152a944
                                                                                                                                                                              • Instruction Fuzzy Hash: 09014836210159AFCF058F6ACC0589F3B29EFC5321B240209F8109B2A0E734ED428BD0
                                                                                                                                                                              Uniqueness

                                                                                                                                                                              Uniqueness Score: -1.00%

                                                                                                                                                                              Function 004F4253 Relevance: 3.0, APIs: 2, Instructions: 22memoryCOMMONLIBRARYCODE
                                                                                                                                                                              Download Yara Rule
                                                                                                                                                                              APIs
                                                                                                                                                                              • RtlFreeHeap.NTDLL(00000000,00000000,?,004FAD87,004E60B3,00000000,004E60B3,?,004FB028,004E60B3,00000007,004E60B3,?,004FB51C,004E60B3,004E60B3), ref: 004F4269
                                                                                                                                                                              • GetLastError.KERNEL32(004E60B3,?,004FAD87,004E60B3,00000000,004E60B3,?,004FB028,004E60B3,00000007,004E60B3,?,004FB51C,004E60B3,004E60B3), ref: 004F4274
                                                                                                                                                                              Memory Dump Source
                                                                                                                                                                              • Source File: 00000000.00000002.2254819923.0000000000400000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                                              Joe Sandbox IDA Plugin
                                                                                                                                                                              • Snapshot File: hcaresult_0_2_400000_file.jbxd
                                                                                                                                                                              Yara matches
                                                                                                                                                                              Similarity
                                                                                                                                                                              • API ID: ErrorFreeHeapLast
                                                                                                                                                                              • String ID:
                                                                                                                                                                              • API String ID: 485612231-0
                                                                                                                                                                              • Opcode ID: 8b73b785357b2346bfa9b41464cc3ad5fe5b38bc98d19c64144e2217278180d9
                                                                                                                                                                              • Instruction ID: ea2134de0cf5f8181c31f49d7920a3ecd8334c799a4adc26afd63096a676bfd3
                                                                                                                                                                              • Opcode Fuzzy Hash: 8b73b785357b2346bfa9b41464cc3ad5fe5b38bc98d19c64144e2217278180d9
                                                                                                                                                                              • Instruction Fuzzy Hash: 62E08632100614A7CB112BA5AC0C7DE3F98AF80395F028476F60C86160EA3898649798
                                                                                                                                                                              Uniqueness

                                                                                                                                                                              Uniqueness Score: -1.00%

                                                                                                                                                                              Function 004E2032 Relevance: 1.7, APIs: 1, Instructions: 157COMMON
                                                                                                                                                                              Download Yara Rule
                                                                                                                                                                              Memory Dump Source
                                                                                                                                                                              • Source File: 00000000.00000002.2254819923.0000000000400000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                                              Joe Sandbox IDA Plugin
                                                                                                                                                                              • Snapshot File: hcaresult_0_2_400000_file.jbxd
                                                                                                                                                                              Yara matches
                                                                                                                                                                              Similarity
                                                                                                                                                                              • API ID:
                                                                                                                                                                              • String ID:
                                                                                                                                                                              • API String ID:
                                                                                                                                                                              • Opcode ID: ca496ef47f0e7f3bd31ff4d0c6dd67ba7ae3da1b984ba6e74bea7cea9b832298
                                                                                                                                                                              • Instruction ID: a945f24e44b28e743e936d21751d2e95920c4c00ec505ba9b30c130e86fbcea3
                                                                                                                                                                              • Opcode Fuzzy Hash: ca496ef47f0e7f3bd31ff4d0c6dd67ba7ae3da1b984ba6e74bea7cea9b832298
                                                                                                                                                                              • Instruction Fuzzy Hash: 6151F670A00284AFDF14CF5ACD81AAABFB5EF45315F24815AF9085B352C3B5DE41CB94
                                                                                                                                                                              Uniqueness

                                                                                                                                                                              Uniqueness Score: -1.00%

                                                                                                                                                                              Function 004F42CD Relevance: 1.5, APIs: 1, Instructions: 32memoryCOMMONLIBRARYCODE
                                                                                                                                                                              Download Yara Rule
                                                                                                                                                                              APIs
                                                                                                                                                                              • RtlAllocateHeap.NTDLL(00000000,004F9713,4D88C033,?,004F9713,00000220,?,004F2C8F,4D88C033), ref: 004F42FF
                                                                                                                                                                              Memory Dump Source
                                                                                                                                                                              • Source File: 00000000.00000002.2254819923.0000000000400000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                                              Joe Sandbox IDA Plugin
                                                                                                                                                                              • Snapshot File: hcaresult_0_2_400000_file.jbxd
                                                                                                                                                                              Yara matches
                                                                                                                                                                              Similarity
                                                                                                                                                                              • API ID: AllocateHeap
                                                                                                                                                                              • String ID:
                                                                                                                                                                              • API String ID: 1279760036-0
                                                                                                                                                                              • Opcode ID: 2198638593cbac858731316a311480fbe239b50477190752b525c17ad8c2d171
                                                                                                                                                                              • Instruction ID: 89252cde3629954a7dd651662e79814aadfa885b8aeb937b2ffe9774318fd193
                                                                                                                                                                              • Opcode Fuzzy Hash: 2198638593cbac858731316a311480fbe239b50477190752b525c17ad8c2d171
                                                                                                                                                                              • Instruction Fuzzy Hash: 23E0A02530421896D63126AA9C04BBB3A489BC23B8F160167BF0596291DF2CCC0181FE
                                                                                                                                                                              Uniqueness

                                                                                                                                                                              Uniqueness Score: -1.00%

                                                                                                                                                                              Function 004EF889 Relevance: 1.5, APIs: 1, Instructions: 20COMMONLIBRARYCODE
                                                                                                                                                                              Download Yara Rule
                                                                                                                                                                              APIs
                                                                                                                                                                              Memory Dump Source
                                                                                                                                                                              • Source File: 00000000.00000002.2254819923.0000000000400000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                                              Joe Sandbox IDA Plugin
                                                                                                                                                                              • Snapshot File: hcaresult_0_2_400000_file.jbxd
                                                                                                                                                                              Yara matches
                                                                                                                                                                              Similarity
                                                                                                                                                                              • API ID: H_prolog3
                                                                                                                                                                              • String ID:
                                                                                                                                                                              • API String ID: 431132790-0
                                                                                                                                                                              • Opcode ID: 642ab808bc47696ae728f0514146959be3b190675648a466094860987fb1a248
                                                                                                                                                                              • Instruction ID: 6774f2ffb1e86b77a5a3f95ea0b65f3d51a0f57c6d64d54c353970c0c04ae7a7
                                                                                                                                                                              • Opcode Fuzzy Hash: 642ab808bc47696ae728f0514146959be3b190675648a466094860987fb1a248
                                                                                                                                                                              • Instruction Fuzzy Hash: 66E09AB6C0020DAADB00DFD5C452BEFBBFCAB08304F50412BA205E7141EA7857858BE1
                                                                                                                                                                              Uniqueness

                                                                                                                                                                              Uniqueness Score: -1.00%

                                                                                                                                                                              Function 0043CA61 Relevance: 1.5, APIs: 1, Instructions: 9COMMON
                                                                                                                                                                              Download Yara Rule
                                                                                                                                                                              APIs
                                                                                                                                                                              • FreeLibrary.KERNELBASE(6C3B0000), ref: 0043CA73
                                                                                                                                                                              Memory Dump Source
                                                                                                                                                                              • Source File: 00000000.00000002.2254819923.0000000000400000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                                              Joe Sandbox IDA Plugin
                                                                                                                                                                              • Snapshot File: hcaresult_0_2_400000_file.jbxd
                                                                                                                                                                              Yara matches
                                                                                                                                                                              Similarity
                                                                                                                                                                              • API ID: FreeLibrary
                                                                                                                                                                              • String ID:
                                                                                                                                                                              • API String ID: 3664257935-0
                                                                                                                                                                              • Opcode ID: 1b817b431e1bcb8b8660f8d52eba7c158e344ec8198f08c13cc3c16a208e3d83
                                                                                                                                                                              • Instruction ID: c2aff94c4f18faa8c51ba634006d0e3fc72a7f72d38d24f3f513cb8b6753d3b2
                                                                                                                                                                              • Opcode Fuzzy Hash: 1b817b431e1bcb8b8660f8d52eba7c158e344ec8198f08c13cc3c16a208e3d83
                                                                                                                                                                              • Instruction Fuzzy Hash: 9EC0805844C7C19BD70283704C0C3DEFF547B37308F8800879544D5196F27CC018D611
                                                                                                                                                                              Uniqueness

                                                                                                                                                                              Uniqueness Score: -1.00%

                                                                                                                                                                              Function 0043CA60 Relevance: 1.5, APIs: 1, Instructions: 9COMMON
                                                                                                                                                                              Download Yara Rule
                                                                                                                                                                              APIs
                                                                                                                                                                              • FreeLibrary.KERNELBASE(6C3B0000), ref: 0043CA73
                                                                                                                                                                              Memory Dump Source
                                                                                                                                                                              • Source File: 00000000.00000002.2254819923.0000000000400000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                                              Joe Sandbox IDA Plugin
                                                                                                                                                                              • Snapshot File: hcaresult_0_2_400000_file.jbxd
                                                                                                                                                                              Yara matches
                                                                                                                                                                              Similarity
                                                                                                                                                                              • API ID: FreeLibrary
                                                                                                                                                                              • String ID:
                                                                                                                                                                              • API String ID: 3664257935-0
                                                                                                                                                                              • Opcode ID: f8c40282056245796d7f5b5903a6d79a5f33a872c032442f370485422ea39e21
                                                                                                                                                                              • Instruction ID: 6f1538f3c83fda123e057c8c8b71c8c1581e6641b9bb3c2eae2c166c88091a8e
                                                                                                                                                                              • Opcode Fuzzy Hash: f8c40282056245796d7f5b5903a6d79a5f33a872c032442f370485422ea39e21
                                                                                                                                                                              • Instruction Fuzzy Hash: 47C01228184381AAE702D774AC4C39B3AA8732B308F485046A548AA2A0C2388818EB60
                                                                                                                                                                              Uniqueness

                                                                                                                                                                              Uniqueness Score: -1.00%

                                                                                                                                                                              Function 0041E750 Relevance: 1.3, APIs: 1, Instructions: 43sleepCOMMON
                                                                                                                                                                              Download Yara Rule
                                                                                                                                                                              APIs
                                                                                                                                                                              • Sleep.KERNELBASE(00000065,?,?,?,?,?,?,?,?,?,?,?,?,?,?,00000000), ref: 0041E7C7
                                                                                                                                                                              Memory Dump Source
                                                                                                                                                                              • Source File: 00000000.00000002.2254819923.0000000000400000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                                              Joe Sandbox IDA Plugin
                                                                                                                                                                              • Snapshot File: hcaresult_0_2_400000_file.jbxd
                                                                                                                                                                              Yara matches
                                                                                                                                                                              Similarity
                                                                                                                                                                              • API ID: Sleep
                                                                                                                                                                              • String ID:
                                                                                                                                                                              • API String ID: 3472027048-0
                                                                                                                                                                              • Opcode ID: f7a3327ab82349f100f1f42aa0b0e5cff60294bd63498b5a51e33dd0a22f8d9f
                                                                                                                                                                              • Instruction ID: 79f0e9190b931bb93153a42b520cda6f2ad0e539c83b0fe0ba77e5d034c095ba
                                                                                                                                                                              • Opcode Fuzzy Hash: f7a3327ab82349f100f1f42aa0b0e5cff60294bd63498b5a51e33dd0a22f8d9f
                                                                                                                                                                              • Instruction Fuzzy Hash: E8012079E44684ABD710AF599C0ABAE7B54E741B38F14025FF5241B7C1D7781C058BCA
                                                                                                                                                                              Uniqueness

                                                                                                                                                                              Uniqueness Score: -1.00%

                                                                                                                                                                              Function 0041E7F0 Relevance: 1.3, APIs: 1, Instructions: 43sleepCOMMON
                                                                                                                                                                              Download Yara Rule
                                                                                                                                                                              APIs
                                                                                                                                                                              • Sleep.KERNELBASE(00000065,?,?,?,?,?,?,?,?,?,?,?,?), ref: 0041E867
                                                                                                                                                                              Memory Dump Source
                                                                                                                                                                              • Source File: 00000000.00000002.2254819923.0000000000400000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                                              Joe Sandbox IDA Plugin
                                                                                                                                                                              • Snapshot File: hcaresult_0_2_400000_file.jbxd
                                                                                                                                                                              Yara matches
                                                                                                                                                                              Similarity
                                                                                                                                                                              • API ID: Sleep
                                                                                                                                                                              • String ID:
                                                                                                                                                                              • API String ID: 3472027048-0
                                                                                                                                                                              • Opcode ID: 6dd91079ba1ef193910dc124d04d20246a629cc08a20c6bb60a5610a652488b0
                                                                                                                                                                              • Instruction ID: 495735fe8f5a63119b41650622d5438b130c097a16836f37a533a087ee5ee12b
                                                                                                                                                                              • Opcode Fuzzy Hash: 6dd91079ba1ef193910dc124d04d20246a629cc08a20c6bb60a5610a652488b0
                                                                                                                                                                              • Instruction Fuzzy Hash: 80017BB5E40684ABD710AB5A8C06BAE7BA6E742B28F14024EF5141B3C1D7B8180087C9
                                                                                                                                                                              Uniqueness

                                                                                                                                                                              Uniqueness Score: -1.00%

                                                                                                                                                                              Function 0041E890 Relevance: 1.3, APIs: 1, Instructions: 43sleepCOMMON
                                                                                                                                                                              Download Yara Rule
                                                                                                                                                                              APIs
                                                                                                                                                                              • Sleep.KERNEL32(00000065,?,?,?,?,?,?,?,?,?,?,?,?,?), ref: 0041E907
                                                                                                                                                                              Memory Dump Source
                                                                                                                                                                              • Source File: 00000000.00000002.2254819923.0000000000400000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                                              Joe Sandbox IDA Plugin
                                                                                                                                                                              • Snapshot File: hcaresult_0_2_400000_file.jbxd
                                                                                                                                                                              Yara matches
                                                                                                                                                                              Similarity
                                                                                                                                                                              • API ID: Sleep
                                                                                                                                                                              • String ID:
                                                                                                                                                                              • API String ID: 3472027048-0
                                                                                                                                                                              • Opcode ID: 6ae5d539560427b4273ddbb2323bd143869bb8717069fdd20952c7c124a300a7
                                                                                                                                                                              • Instruction ID: 856fd3f3b6c9bdd6e77d2204c72a8a86155eda9e7d346db51e80ac84defc7b96
                                                                                                                                                                              • Opcode Fuzzy Hash: 6ae5d539560427b4273ddbb2323bd143869bb8717069fdd20952c7c124a300a7
                                                                                                                                                                              • Instruction Fuzzy Hash: D00120B6E44684ABD720EB599C0ABAE7B54E741B28F14024EF5141B3C1D7791844D7C6
                                                                                                                                                                              Uniqueness

                                                                                                                                                                              Uniqueness Score: -1.00%

                                                                                                                                                                              Function 0041E930 Relevance: 1.3, APIs: 1, Instructions: 43sleepCOMMON
                                                                                                                                                                              Download Yara Rule
                                                                                                                                                                              APIs
                                                                                                                                                                              • Sleep.KERNEL32(00000065,?,?,?,?,?,?,?,?,?,?,?,?,?), ref: 0041E9A7
                                                                                                                                                                              Memory Dump Source
                                                                                                                                                                              • Source File: 00000000.00000002.2254819923.0000000000400000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                                              Joe Sandbox IDA Plugin
                                                                                                                                                                              • Snapshot File: hcaresult_0_2_400000_file.jbxd
                                                                                                                                                                              Yara matches
                                                                                                                                                                              Similarity
                                                                                                                                                                              • API ID: Sleep
                                                                                                                                                                              • String ID:
                                                                                                                                                                              • API String ID: 3472027048-0
                                                                                                                                                                              • Opcode ID: 1dd3132a831f6b3fdc37602cddac998eaa2dfe8dc3bc418b2e161be17c3cae3a
                                                                                                                                                                              • Instruction ID: 4d51e3cdc561a834d510c8c3ef11e1b4b22122f6eac1103c18ef6d6a89a62e8d
                                                                                                                                                                              • Opcode Fuzzy Hash: 1dd3132a831f6b3fdc37602cddac998eaa2dfe8dc3bc418b2e161be17c3cae3a
                                                                                                                                                                              • Instruction Fuzzy Hash: 310120B6E54644ABD7209B599C06BEE7B64E741B28F14024EF5181B3C1D77818448BC5
                                                                                                                                                                              Uniqueness

                                                                                                                                                                              Uniqueness Score: -1.00%

                                                                                                                                                                              Function 0041E9D0 Relevance: 1.3, APIs: 1, Instructions: 43sleepCOMMON
                                                                                                                                                                              Download Yara Rule
                                                                                                                                                                              APIs
                                                                                                                                                                              • Sleep.KERNELBASE(00000065,?,?,?,?,?,?,?,?,?,?,?,?), ref: 0041EA47
                                                                                                                                                                              Memory Dump Source
                                                                                                                                                                              • Source File: 00000000.00000002.2254819923.0000000000400000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                                              Joe Sandbox IDA Plugin
                                                                                                                                                                              • Snapshot File: hcaresult_0_2_400000_file.jbxd
                                                                                                                                                                              Yara matches
                                                                                                                                                                              Similarity
                                                                                                                                                                              • API ID: Sleep
                                                                                                                                                                              • String ID:
                                                                                                                                                                              • API String ID: 3472027048-0
                                                                                                                                                                              • Opcode ID: d6de9ebc316f42d030ed6e88b55143bd222477d6e94bd323caeb6c642de71256
                                                                                                                                                                              • Instruction ID: 8197e4f2a7925b8cf845a2034c93b7373f5ae7c38e82d9b16ca3c881090597ec
                                                                                                                                                                              • Opcode Fuzzy Hash: d6de9ebc316f42d030ed6e88b55143bd222477d6e94bd323caeb6c642de71256
                                                                                                                                                                              • Instruction Fuzzy Hash: 22017B75E44784AFD710EB49DC06BAEBBA4EB51B28F04024EF5241B7C1D7B8184487C5
                                                                                                                                                                              Uniqueness

                                                                                                                                                                              Uniqueness Score: -1.00%